10 Apr 2024 11:09 AM - last edited on 10 May 2024 02:56 PM by Michal_Gebacki
Solved! Go to Solution.
11 Apr 2024 12:57 PM
I don't see anything obviously wrong with the configuration. Please create a support ticket as I remember there being some issues of using :: in the past.
25 Apr 2024 10:39 AM
Hi,
I found it.
I first created a Log processing rule:
In the field processor definition, the column name to be used is not the JSON field given by the log monitoring but the value sent by the trap. The difference is that in the JSON, the column name is always lower case. The data sent by the trap is a mix lower/upper case.
Rule name: [SNMPTrap] snmptraps:vtom:job
Matcher: snmp.trap_oid = "VTOMASN1MODULE::absyss"
Processor definition:
USING(INOUT "VTOMASN1MODULE::absyss.166.4000.1.2")
| FIELDS_RENAME(snmp.vtom.job: COLUMN("VTOMASN1MODULE::absyss.166.4000.1.2"))
Log sample:
{
"event.type": "LOG",
"content": "SNMP trap (VTOMASN1MODULE::absyss) reported from src:10.195.198.83\n agent:10.195.198.83",
"status": "NONE",
"timestamp": "1713272276183",
"loglevel": "NONE",
"dt.ingest.warnings": "processing_prepare_input_error",
"log.source": "snmptraps",
"snmp.trap_oid": "VTOMASN1MODULE::absyss",
"device.address": "10.195.198.83",
"vtomasn1module::absyss.166.4000.1.2": "CACEIS_PPD/FDS/CHECK_COR_2 ERRE",
"snmp.version": "1"
}
Rk: The Rule test is not working. It is not taking into account this lower case issue.
Then I create this topology rule:
[
{
"schemaId": "builtin:monitoredentities.generic.type",
"schemaVersion": "1.0.77",
"scope": "environment",
"value": {
"enabled": true,
"name": "vtom:snmptrap",
"displayName": "VTOM SNMP Trap",
"createdBy": "gbegin",
"rules": [
{
"idPattern": "job_{snmp.vtom.job}",
"instanceNamePattern": "VTOM Job {snmp.vtom.job}",
"iconPattern": null,
"sources": [
{
"sourceType": "Logs"
}
],
"requiredDimensions": [
{
"key": "snmp.trap_oid",
"valuePattern": "$eq(VTOMASN1MODULE::absyss)"
}
],
"attributes": [],
"role": null
}
]
}
}
]
Regards