Snmp grok filter failure

liqinnetgain · July 15, 2019, 12:33pm

Here's my line
iso.3.6.1.4.1.2440.1.11.2.4.8.0 = Counter64: 0
And the filter
input {
stdin {}
}

    input {
      snmp {
        get => ["1.3.6.1.4.1.2440.1.11.2.4.8.0"]
        hosts => [{host => "udp:10.0.10.108/161" community => "public" version => "2c"  retries => 2  timeout=> 1000}]
        interval => 10
      }
    }

    filter {
    grok {
        match => {
          "message" => "[iso].*? .*? %{NUMBER}"
        }
        overwrite => ["message"]
      }
    }

output {
  stdout {
    codec => rubydebug
  }
}

I tested in the debugger and seems everything is fine
but when I run
sudo /usr/share/logstash/bin/logstash -f test-s.conf
Cannot filter with _grokparsefailure
{
"@timestamp" => 2019-07-15T12:31:19.301Z,
"host" => "10.0.10.108",
"tags" => [
[0] "_grokparsefailure"
],
"@version" => "1",
"iso.org.dod.internet.private.enterprises.2440.1.11.2.4.8.0" => 0
}

Badger · July 15, 2019, 2:15pm

What are you hoping that will do?

liqinnetgain · July 15, 2019, 7:59pm

I hope the result be like
{
"@timestamp" => 2019-07-15T14:09:24.960Z,
"host" => "10.0.10.108",
"@version" => "1",
"snmpdata" => 0
}

Badger · July 15, 2019, 8:13pm

So you want to rename a field from iso.org.dod.internet.private.enterprises.2440.1.11.2.4.8.0 to snmpdata, is that correct?

liqinnetgain · July 15, 2019, 8:16pm

I want to split the message into two parts
{oid: iso.anyoid
value: snmpvalue
}

Badger · July 15, 2019, 8:32pm

Interesting, normally people want to do the opposite of that. You can do it using a ruby filter. If there will ever be more than one piece of data you could use

    ruby {
        code => '
            a = []
            event.to_hash.each { |k, v|
                if k.start_with?("iso.org.dod.internet") then
                    h = Hash.new
                    h["oid"] = k
                    h["snmpdata"] = v
                    a << h
                    event.remove(k)
                end
            }
            event.set("someField", a)
        '
    }

If you know there will only be one then take the array out of it and use the hash in event.set

liqinnetgain · July 15, 2019, 8:36pm

@Badger Thanks for your help. I'll try to use ruby filter as there might be some calcualtion of the value and the OID would be different.

system · August 12, 2019, 8:36pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.