Own Output for SNMP Get Values in Logstash

Hello,

I have the following Logstash config

input {
  snmp {
    tags => [ "snmp" ]
    get => [".1.3.6.1.4.1.9.9.48.1.1.1.5.2",".1.3.6.1.4.1.9.9.109.1.1.1.1.5.1",".1.3.6.1.4.1.9.9.48.1.1.1.5.1"]
    hosts => [{host => "udp:IP/161" community => "public" version => "2c"  retries => 2  timeout => 1000}]
    tables => [ {"name" => "interfaces" "columns" => ["1.3.6.1.2.1.2.2.1.1", "1.3.6.1.2.1.2.2.1.2", "1.3.6.1.2.1.31.1.1.1.6", "1.3.6.1.2.1.31.1.1.1.10"]}]
  }
}

filter {

split {
   field => "interfaces"
 }

mutate {
        rename => { "[interfaces][index]" => "index" }
        rename => { "[interfaces][iso.org.dod.internet.mgmt.mib-2.interfaces.ifTable.ifEntry.ifIndex]" => "ifIndex" }
        rename => { "[interfaces][iso.org.dod.internet.mgmt.mib-2.interfaces.ifTable.ifEntry.ifDescr]" => "ifDescr" }
        rename => { "[interfaces][iso.org.dod.internet.mgmt.mib-2.ifMIB.ifMIBObjects.ifXTable.ifXEntry.ifHCInOctets]" => "ifHCInOctets" }
        rename => { "[interfaces][iso.org.dod.internet.mgmt.mib-2.ifMIB.ifMIBObjects.ifXTable.ifXEntry.ifHCOutOctets]" => "ifHCOutOctets" }
    }


mutate {
        convert => {
          "ifInOctets" => "integer"
          "ifOutOctets" => "integer"
        }
    }


mutate {
        remove_field => [ "interfaces", "@version" ]
      }
}

output {
    stdout
    {
        codec => rubydebug
    }

The config it self does work but when I run it for test, then the output from the get is added to each interface output for example:

{
                                                      "@timestamp" => 2023-07-14T20:25:24.619586115Z,
                                                           "index" => "30",
       "iso.org.dod.internet.private.enterprises.9.9.48.1.1.1.5.1" => 173542416,
    "iso.org.dod.internet.private.enterprises.9.9.109.1.1.1.1.5.1" => 15,
                                                         "ifDescr" => "Virtual-Access1",
                                                    "ifHCInOctets" => 0,
       "iso.org.dod.internet.private.enterprises.9.9.48.1.1.1.5.2" => 17675040,
                                                            "host" => {
        "ip" => "172.16.0.254"
    },
                                                            "tags" => [
        [0] "snmp"
    ],
                                                   "ifHCOutOctets" => 0,
                                                         "ifIndex" => 30
}
{
                                                      "@timestamp" => 2023-07-14T20:25:24.619586115Z,
                                                           "index" => "31",
       "iso.org.dod.internet.private.enterprises.9.9.48.1.1.1.5.1" => 173542416,
    "iso.org.dod.internet.private.enterprises.9.9.109.1.1.1.1.5.1" => 15,
                                                         "ifDescr" => "Virtual-Access2",
                                                    "ifHCInOctets" => 195300854095,
       "iso.org.dod.internet.private.enterprises.9.9.48.1.1.1.5.2" => 17675040,
                                                            "host" => {
        "ip" => "172.16.0.254"
    },
                                                            "tags" => [
        [0] "snmp"
    ],
                                                   "ifHCOutOctets" => 12702042208,
                                                         "ifIndex" => 31
}

Is there a way, that the SNMP values from the get command is wriiten only one time as own field or is this not possible and I have to create a second File with the get values?

I hope it is clear what I am trying to do.

Thank you for your help.

Hi,
you may use add_field in input section.

input {
  snmp {
    tags => [ "snmp" ]
    get => [
      ".1.3.6.1.4.1.9.9.48.1.1.1.5.2",
      ".1.3.6.1.4.1.9.9.109.1.1.1.1.5.1",
      ".1.3.6.1.4.1.9.9.48.1.1.1.5.1"
    ]
    hosts => [{ host => "udp:IP/161" community => "public" version => "2c" retries => 2 timeout => 1000 }]
    tables => [
      {
        name => "interfaces"
        columns => [
          "1.3.6.1.2.1.2.2.1.1",
          "1.3.6.1.2.1.2.2.1.2",
          "1.3.6.1.2.1.31.1.1.1.6",
          "1.3.6.1.2.1.31.1.1.1.10"
        ]
      }
    ]
    add_field => {
      "ifHCInOctets_get" => "%{iso.org.dod.internet.private.enterprises.9.9.48.1.1.1.5.1}"
      "ifHCOutOctets_get" => "%{iso.org.dod.internet.private.enterprises.9.9.48.1.1.1.5.2}"
    }
  }
}

Thank you for your response. I have tested it now and it seems that everything is written to one field for example for interfaces.iso.org.dod.internet.mgmt.mib-2.ifMIB.ifMIBObjects.ifXTable.ifXEntry.ifHCInOctets or interfaces.iso.org.dod.internet.mgmt.mib-2.ifMIB.ifMIBObjects.ifXTable.ifXEntry.ifHCOutOctets.
I 'd like to have that this information is splitted all in their own fields because I want to visualize it then in Grafana.
I have added in Screenshot from Kiabana how it looks like with your config:

image2204×116 34.1 KB

I have added a Screenshot from my config how I want to have it but the values of SNMP Get is always added to each out put when the split filter is enabled.

image2188×217 53.6 KB

I hope it is maybe now more clear how I want that it should look like or if this is possible in one config.

Thank you.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.