Rename field with dynamic name

I'm ingesting snmptraps from a Cisco wireless LAN controller and some of the extracted field names have a partially dynamic value. One example is below.

I need to rename the field below simply to cLApName as anything after that value is dynamic and changes per controller and per SSID. I've tried doing a simple .* in the rename function but it does not appear to work. Any help would be appreciated.

rename => { "CISCO-LWAPP-AP-MIB::cLApName.*" => "cLApName" }


I'm not 100% sure, but I think regular expressions aren't supported for these operations. You could loop through the event fields with ruby, check the names and rename the field by setting a new field and deleting the old one, if it matches your criteria.

Thanks! I got this working perfectly with some Ruby.

ruby {
  code => "
        keys = event.to_hash.keys
            if ( key =~ /cLApName/ ||  key =~ /airespace.
              event.set('cLApName', event.remove(key))

            elsif ( key =~ /cldcClientEntry.28/ || key =~ /cldcClientSSID/ )
              event.set('cldcClientSSID', event.remove(key))

            elsif ( key =~ /cldcClientEntry.27/ || key =~ /airespace.
              event.set('cldcClientUsername', event.remove(key))

            elsif ( key =~ /bsnStationMacAddress/ || key =~ /cldcClientMacAddress/)
              event.set('cldcClientMacAddress', event.remove(key))

            elsif ( key =~ /cldcClientEntry.10/ )
              event.set('cldcClientIP', event.remove(key))

            elsif ( key =~ /cLApRogueApMacAddress/ )
              event.set('cLApRogueApMacAddress', event.remove(key))
            elsif ( key =~ /cLApRogueApSsid/ )
              event.set('cLApRogueApSsid', event.remove(key))
            elsif ( key =~ /cLApRogueDetectedChannel/ )
              event.set('cLApRogueDetectedChannel', event.remove(key))
            elsif ( key =~ /cLApRSSI/ )
              event.set('cLApRSSI', event.remove(key))
            elsif ( key =~ /cLApSNR/ )
              event.set('cLApSNR', event.remove(key))


    rescue Exception => e
        event.set('logstash_ruby_exception', e.message)

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.