Parse SNMP table data

Sketchy · April 5, 2020, 7:45am

I am experimenting moving some snmp monitoring from telegraf to logstash snmp imput but having some problems with the layout of the output and cant figure out how to efficiently parse this into a useful format.

Currently my output looks like this when using the tables query and selecting the columns I want.

{
       "ifTable" => [
        [ 0] {
                 "ifDescr" => "lo",
             "ifOutOctets" => 1579659027,
              "ifInOctets" => 1579659027,
            "ifOperStatus" => 1,
                   "index" => "1"
        },
        [ 1] {
                 "ifDescr" => "ipsec0",
             "ifOutOctets" => 0,
              "ifInOctets" => 0,
            "ifOperStatus" => 1,
                   "index" => "2"
        },
        [ 2] {
                 "ifDescr" => "sit0",
             "ifOutOctets" => 0,
              "ifInOctets" => 0,
            "ifOperStatus" => 2,
                   "index" => "3"
        },
        [ 3] {
                 "ifDescr" => "ip6tnl0",
             "ifOutOctets" => 0,
              "ifInOctets" => 0,
            "ifOperStatus" => 2,
                   "index" => "4"
        },
        [ 4] {
                 "ifDescr" => "PortE0",
             "ifOutOctets" => 267486371,
              "ifInOctets" => 132144834,
            "ifOperStatus" => 1,
                   "index" => "5"
        },

I need to be able to efficiently filter/remove the interfaces I don't need, I have tried it a few different ways but cant get the result I am looking for.

I want it to look something like this.

"interfaces" : {
    "lo" {
       "ifOutOctets" => 1579659027,
       "ifInOctets" => 1579659027,
       "ifOperStatus" => 1,
        "index" => "1"
       }
    "ipsec0" {
        "ifOutOctets" => 0,
         "ifInOctets" => 0,
         "ifOperStatus" => 1,
         "index" => "2"
       }

Any help with getting this data into a more workable format would be great.

Badger · April 5, 2020, 1:49pm

You could do that in ruby. I haven't tested it, but something like

ruby {
    code => '
        h = {}
        event.get("ifTable").each { |x|
            k = [x]["ifDescr"]
            x.delete("ifDescr")
            h[k] = x
        }
        event.set("interfaces", h)
    '
 }

I am not sure what the conditions for including or excluding interfaces are. Perhaps add something like

if [ "lo", "ipsec0" ].include? (k) {
}

around the insertion into h.

Sketchy · April 5, 2020, 3:17pm

Hi Badger thanks for that, ruby code is bit above my skillset at the moment but I can kind of see what we are doing here. However I get this ruby exception.

Ruby exception occurred: no implicit conversion of String into Integer

Badger · April 5, 2020, 4:15pm

Make that

k = x["ifDescr"]

Sketchy · April 5, 2020, 10:36pm

That did it, thanks so much badger your a real life saver.

system · May 3, 2020, 10:36pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.