Greetings,
I'm currently feeding SNMP traps into my ELK stack and have run into a problem with the translated OID's and trying to query them in a watch.
The watch in question:
/_watcher/watch/test_event
{
"trigger": {
"schedule": {
"interval": "60s"
}
},
"input": {
"search": {
"request": {
"indices": [
"logstash-*"
],
"search_type": "query_then_fetch",
"body": {
"query": {
"filtered": {
"query": {
"bool": {
"should": [
{
"match": {
"message": "test"
}
}
]
}
},
"filter": {
"range": {
"@timestamp": {
"from": "{{ctx.trigger.scheduled_time}}||-60s",
"to": "{{ctx.trigger.triggered_time}}"
}
}
}
}
},
"fields": [
"RFC1213-MIB::sysName.0",
"FORTINET-FORTIGATE-MIB::fgIpsTrapSigMsg.0",
"FORTINET-FORTIGATE-MIB::fgIpsTrapSrcIp.0",
"DISMAN-EXPRESSION-MIB::sysUpTimeInstance",
"@timestamp"
],
"sort": [
{
"@timestamp": {
"order": "desc"
}
}
]
}
}
}
},
"throttle_period": "60s",
"condition": {
"script": {
"inline": "ctx.payload.hits.size() > 0 "
}
},
"actions": {
"send_email": {
"email": {
"to": "receiving@gmail.com",
"subject": " Watcher Notification - Event: {{ctx.payload.hits.hits.0.fields.FORTINET-FORTIGATE-MIB::fgIpsTrapSigMsg.0}} ON DEVICE: {{ctx.payload.hits.hits.0.fields.RFC1213-MIB::sysName.0}} SRC IP: {{ctx.payload.hits.hits.0.fields.FORTINET-FORTIGATE-MIB::fgIpsTrapSrcIp.0}} AT: {{ctx.trigger.triggered_time}} UTC",
"body": {
"html": "<HTML><b>Trigger time: </b>{{ctx.trigger.triggered_time}} UTC<br><b>Event: </b>{{ctx.payload.hits.hits.0.fields.FORTINET-FORTIGATE-MIB::fgIpsTrapSigMsg.0}}<br><b>Device: </b>{{ctx.payload.hits.hits.0.fields.RFC1213-MIB::sysName.0}}<br><b>Src IP: </b>{{ctx.payload.hits.hits.0.fields.FORTINET-FORTIGATE-MIB::fgIpsTrapSrcIp.0}}<br><b>Uptime: </b>{{ctx.payload.hits.hits.0.fields.DISMAN-EXPRESSION-MIB::sysUpTimeInstance}}</HTML>"
}
}
}
}
}'
As you can see, some of the OID's are being translated into fields ending with ".0".
For example:
FORTINET-FORTIGATE-MIB::fgIpsTrapSigMsg.0
Only the fields ending in ".0" remain empty. ctx.payload.hits.hits.0.fields.DISMAN-EXPRESSION-MIB::sysUpTimeInstance gives me the correct output. To me it seems like the ".0" is part of the OID but it seems the "." is being treated as another divider like the "." in ctx.payload.
Is there a way to escape the "."?
I tried:
FORTINET-FORTIGATE-MIB::fgIpsTrapSigMsg.0
But that gives me the following error:
nested: JsonParseException[Unrecognized character escape '.' (code 46)\n at [Source: [B@60a0bd4; line: 39, column: 36]]; ","status":500}
Edit:
Double escaping like below does not work either.
FORTINET-FORTIGATE-MIB::fgIpsTrapSigMsg\.0