Hi all,
I'm trying to extract key/value data from SNMP trap data logged to my splunk server. I have snmptrapd running in the background and logging to a file, which splunk is monitoring. All that is working great. The data that makes it into splunk looks like this:
2016-08-22 12:42:21 10.192.2.110 [UDP: [10.192.2.110]:32771->[10.10.15.76]]:
sysUpTimeInstance = 80:20:41:00.00 snmpTrapOID.0 = ciscoLwappDot11ClientMIBNotifs.2 cldcClientMacAddress.'......' = d4:b:1a:92:fc:8b cldcClientWlanProfileName.'......' = SSID cldcClientEntry.'......'.139 = 10.64.97.246 cldcApMacAddress.'......' = 58:f3:9c:c8:55:20 cldcClientEntry.'......'.139 = 0 cldcClientEntry.'......'.139 = 396
I'm trying to use the kv command like this: " ... | kv pairdelim="\t" kvdelim=" = " "which grabs some of the fields, but I think the problem is that there's extra snmp variable data that I need to get rid of. With the example above I get a key of "cldcClientEntry_________139" and value of "10.64.97.246" but what I want to get is "cldcClientEntry" and value of "10.64.97.246" ... so I think I need some way to stop matching the key as soon as it hits a period, but I'm not quite sure where/how to do that. Any suggestions?
Thanks,
Brian
↧