[SOLVED] SNMP trap input plugin

def · June 23, 2016, 6:49am

Hello,

I have a question :

Is it possible to limit the fields value for the output in logstash?

I'm using SNMP trap and I have a lot of different type of MIB, so I have a lot of indexed fields in Kibana and after few days, elasticsearch is not responding because there is a timeout.

Here is a view from kibana (show the number of fields) :

Here is my configuration for logstash :

input {
    snmptrap {
        type => snmptrap
        port => 1062
        codec => "json"
        yamlmibdir => "/opt/logstash/vendor/bundle/jruby/1.9/gems/snmp-1.2.0/data/ruby/snmp/mibs"
    }
}
filter {
    ruby {
        code => "event.to_hash.keys.each { |k| event[ k.gsub('.','_') ] = event.remove(k) if k.include?'.' }"
     }
}output {
    elasticsearch {
        hosts => ['localhost:9200']
    }
}

I have add a mutate part in the filter like this :

mutate {
gsub => [ "message", "RFC1065-SMI::enterprises_23916_3_1_4_1_11_[0-9]+", "RFC1065-SMI::enterprises_23916_3_1_4_1_11" ]
}

But it still doesn't work. Is there something wrong?

magnusbaeck · June 30, 2016, 6:23pm

Your mutate filter's gsub option acts on the contents of a field, but you want to rename the fields themselves and there's no stock filter for that. I think you need to write a small snippet of Ruby in a ruby filter to accomplish what you want.

def · July 4, 2016, 8:31am

hello Magnus,

I have try to use ruby for that, but after a lot of tries I can remove the event, but I have not found how to rename a field name.

In this example, I have a field name like this :
DOCS-CABLE-DEVICE-MIB::docsDevEvId_72186
and I liked to have a :
DOCS-CABLE-DEVICE-MIB::docsDevEvId

I'm am new in Ruby, does Roby have a method rename or updateKey, or something else to do what I want?

Here is my solution for delete the event, but it is not my expected result

     event.to_hash.keys.each { |k|
        if k.start_with?('DOCS-CABLE-DEVICE-MIB::docsDevEvId')
            event.remove(k)
        end};

def · July 5, 2016, 11:32am

Hello,

I have a solution for my problem : I use pysnmp and a python program to remove values in fields.

I receive all SNMP trap with this program and simply forward them to logstash after processing.

So I can make better information and I have implemented an alarming when some SNMP trap are received.

Thanks for help.