How can I strip off everything after the . in my fields. Using SNMP the field names a very dynamic across devices and interfaces.
ifDescr.27 to IfDescr
ifInOctects.50 to IfInOctects
IfInErrors.19 to IfInErrors
You would have to do it in a ruby filter. This is an example of using ruby to modify field names.
Yeah, i've gotten that far. I've got this put together but doesn't seem to work.
ruby {
code => "
begin
keys = event.to_hash.keys
keys.each{ |key|
if ( key =~ /ifDescr/ )
event.set('ifDescr', event.remove(key))
elsif ( key =~ /ifInDiscards/ )
event.set('ifInDiscards', event.remove(key))
elsif ( key =~ /ifInErrors/ )
event.set('ifInErrors', event.remove(key))
elsif ( key =~ /ifInOctects/ )
event.set('ifInOctects', event.remove(key))
elsif ( key =~ /ifOperStatus/ )
event.set('ifOperStatus', event.remove(key))
elsif ( key =~ /ifOutDiscards/ )
event.set('ifOutDiscards', event.remove(key))
elsif ( key =~ /ifOutErrors/ )
event.set('ifOutErrors', event.remove(key))
elsif ( key =~ /ifOutErrors/ )
event.set('ifOutErrors', event.remove(key))
elsif ( key =~ /ifOutOctects/ )
event.set('ifOutOctects', event.remove(key))
elsif ( key =~ /sysName/ )
event.set('sysName', event.remove(key))
end
}
rescue Exception => e
event.set('logstash_ruby_exception', e.message)
end
"
}
Try
ruby {
code => '
event.to_hash.each { |k, v|
if k =~ /^(ifDescr|ifInDiscards|ifInErrors|ifInOctects|ifOperStatus|ifOutDiscards|ifOutErrors|ifOutErrors|ifOutOctects)/
newk = k.gsub(/\.[0-9]+$/, "")
event.set(newk, v)
event.remove(k)
end
}
'
}
The if statement is probably optional.
That worked more or less. I had to do a little debugging and fix my mappings.
Thanks
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.