You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm using the split filter along with the logstash-input-snmp to gather SNMP data and ingest into Elastic.
In order to ingest data on a per-core, per-interface, per-filesystem basis, I'm using separate input blocks with tagging and then using the split filter based on the tags.
What I'd like to be able to do is use a single snmp input to walk a device and then use the split filter on the original event multiple times to split out the various tables of data.
if "cpu_split" in [tags] {
#do cpu related parsing and cleanup (drop non cpu fields)
} else if "mem_split" in [tags] {
#do mem related parsing and cleanup (drop non mem fields)
} else if "int_split" in [tags] {
#do int related parsing and cleanup (drop non int fields)
} else {
split {
field => "cpu"
keep_original => true
add_tag => [ "cpu_split" ]
}
split {
field => "mem"
keep_original => true
add_tag => [ "mem_split" ]
}
split {
field => "int"
keep_original => true
add_tag => [ "int_split" ]
}
# Drop cpu/mem/int fields and parse the rest of results (or just drop{} if nothing left)
}
The text was updated successfully, but these errors were encountered:
I'm using the split filter along with the logstash-input-snmp to gather SNMP data and ingest into Elastic.
In order to ingest data on a per-core, per-interface, per-filesystem basis, I'm using separate input blocks with tagging and then using the split filter based on the tags.
What I'd like to be able to do is use a single snmp input to walk a device and then use the split filter on the original event multiple times to split out the various tables of data.
e.g. Based on a rough format of:
I could use a pipeline with:
The text was updated successfully, but these errors were encountered: