Parse SNMP table data

Sketchy · April 5, 2020, 7:45am

I am experimenting moving some snmp monitoring from telegraf to logstash snmp imput but having some problems with the layout of the output and cant figure out how to efficiently parse this into a useful format.

Currently my output looks like this when using the tables query and selecting the columns I want.

{
       "ifTable" => [
        [ 0] {
                 "ifDescr" => "lo",
             "ifOutOctets" => 1579659027,
              "ifInOctets" => 1579659027,
            "ifOperStatus" => 1,
                   "index" => "1"
        },
        [ 1] {
                 "ifDescr" => "ipsec0",
             "ifOutOctets" => 0,
              "ifInOctets" => 0,
            "ifOperStatus" => 1,
                   "index" => "2"
        },
        [ 2] {
                 "ifDescr" => "sit0",
             "ifOutOctets" => 0,
              "ifInOctets" => 0,
            "ifOperStatus" => 2,
                   "index" => "3"
        },
        [ 3] {
                 "ifDescr" => "ip6tnl0",
             "ifOutOctets" => 0,
              "ifInOctets" => 0,
            "ifOperStatus" => 2,
                   "index" => "4"
        },
        [ 4] {
                 "ifDescr" => "PortE0",
             "ifOutOctets" => 267486371,
              "ifInOctets" => 132144834,
            "ifOperStatus" => 1,
                   "index" => "5"
        },

I need to be able to efficiently filter/remove the interfaces I don't need, I have tried it a few different ways but cant get the result I am looking for.

I want it to look something like this.

"interfaces" : {
    "lo" {
       "ifOutOctets" => 1579659027,
       "ifInOctets" => 1579659027,
       "ifOperStatus" => 1,
        "index" => "1"
       }
    "ipsec0" {
        "ifOutOctets" => 0,
         "ifInOctets" => 0,
         "ifOperStatus" => 1,
         "index" => "2"
       }

Any help with getting this data into a more workable format would be great.

Badger · April 5, 2020, 1:49pm

You could do that in ruby. I haven't tested it, but something like

ruby {
    code => '
        h = {}
        event.get("ifTable").each { |x|
            k = [x]["ifDescr"]
            x.delete("ifDescr")
            h[k] = x
        }
        event.set("interfaces", h)
    '
 }

I am not sure what the conditions for including or excluding interfaces are. Perhaps add something like

if [ "lo", "ipsec0" ].include? (k) {
}

around the insertion into h.

Sketchy · April 5, 2020, 3:17pm

Hi Badger thanks for that, ruby code is bit above my skillset at the moment but I can kind of see what we are doing here. However I get this ruby exception.

Ruby exception occurred: no implicit conversion of String into Integer

Badger · April 5, 2020, 4:15pm

Make that

k = x["ifDescr"]

Sketchy · April 5, 2020, 10:36pm

That did it, thanks so much badger your a real life saver.

system · May 3, 2020, 10:36pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Own Output for SNMP Get Values in Logstash Logstash	3	407	August 13, 2023
SNMP input, table index becomes separated Logstash	1	17	October 3, 2024
SNMP map Values to Router Interface Logstash	1	324	April 16, 2020
Help to parse snmp inpunt Logstash	2	789	November 23, 2018
Logstash snmp output Logstash	5	886	June 24, 2020

Parse SNMP table data

Related topics