Rename field with dynamic name

jasonyates · April 24, 2018, 9:25am

I'm ingesting snmptraps from a Cisco wireless LAN controller and some of the extracted field names have a partially dynamic value. One example is below.

I need to rename the field below simply to cLApName as anything after that value is dynamic and changes per controller and per SSID. I've tried doing a simple .* in the rename function but it does not appear to work. Any help would be appreciated.

rename => { "CISCO-LWAPP-AP-MIB::cLApName.*" => "cLApName" }

"CISCO-LWAPP-AP-MIB::cLApName.0.66.104.41.94.208":"mysite-wap112",

Jenni · April 24, 2018, 9:51am

I'm not 100% sure, but I think regular expressions aren't supported for these operations. You could loop through the event fields with ruby, check the names and rename the field by setting a new field and deleting the old one, if it matches your criteria.

jasonyates · April 24, 2018, 10:53am

Thanks! I got this working perfectly with some Ruby.

ruby {
  code => "
    begin
        keys = event.to_hash.keys
        keys.each{|key|
            if ( key =~ /cLApName/ ||  key =~ /airespace.2.2.1.1.3.0/)
              event.set('cLApName', event.remove(key))

            elsif ( key =~ /cldcClientEntry.28/ || key =~ /cldcClientSSID/ )
              event.set('cldcClientSSID', event.remove(key))

            elsif ( key =~ /cldcClientEntry.27/ || key =~ /airespace.2.6.2.39.0/)
              event.set('cldcClientUsername', event.remove(key))

            elsif ( key =~ /bsnStationMacAddress/ || key =~ /cldcClientMacAddress/)
              event.set('cldcClientMacAddress', event.remove(key))

            elsif ( key =~ /cldcClientEntry.10/ )
              event.set('cldcClientIP', event.remove(key))

            elsif ( key =~ /cLApRogueApMacAddress/ )
              event.set('cLApRogueApMacAddress', event.remove(key))
            elsif ( key =~ /cLApRogueApSsid/ )
              event.set('cLApRogueApSsid', event.remove(key))
            elsif ( key =~ /cLApRogueDetectedChannel/ )
              event.set('cLApRogueDetectedChannel', event.remove(key))
            elsif ( key =~ /cLApRSSI/ )
              event.set('cLApRSSI', event.remove(key))
            elsif ( key =~ /cLApSNR/ )
              event.set('cLApSNR', event.remove(key))
            end

        }

    rescue Exception => e
        event.set('logstash_ruby_exception', e.message)
    end
    "
}

system · May 22, 2018, 10:53am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.