hi All,
Can someone help me to parse the fields either at indexing or through searches. Splunk detects the default fields as enterprises.48099.1.1.1/enterprises.48099.1.1.2 etc., . but we only need the value inside the quotations like below.
enterprises.48099.1.1.2 = STRING: "Monitoring error (SQL Server data collection)". But we need field as below:
field1 = Monitoring error (SQL Server data collection)
Sample Data:
2019-10-01 21:05:24 monspk-sqlmon-01.local [UDP: [111.12.171.01]:64274->[111.12.171.55]:162]:
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (0) 0:00:00.00 SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.48099.1.1 SNMPv2-SMI::enterprises.48099.1.1.1 = STRING: "2360689" SNMPv2-SMI::enterprises.48099.1.1.2 = STRING: "Monitoring error (SQL Server data collection)" SNMPv2-SMI::enterprises.48099.1.1.3 = STRING: "SQL Monitor cannot collect data from the SQL Server instance." SNMPv2-SMI::enterprises.48099.1.1.4 = STRING: "2019-10-01 19:05:00Z" SNMPv2-SMI::enterprises.48099.1.1.5 = STRING: "Low" SNMPv2-SMI::enterprises.48099.1.1.6 = STRING: "monspk-sql8-bi01" SNMPv2-SMI::enterprises.48099.1.1.7 = STRING: "https://monspk-sqlmon-01.local:8443/show/alert/2360689?baseMonitorId=288e5411-856f-4661-97c1-3c6cc8b5d16c" SNMPv2-SMI::enterprises.48099.1.1.8 = STRING: "Raised" SNMPv2-SMI::enterprises.48099.1.1.9 = "" SNMPv2-SMI::enterprises.48099.1.1.10 = "" SNMPv2-SMI::enterprises.48099.1.1.11 = STRING: "monspk-sql8-clust.local" SNMPv2-SMI::enterprises.48099.1.1.12 = STRING: "monspk-SQL8-CLUST - SQL Alert"
Can someone please help with this to parse at indexing or through rex.
Thanks!
↧