search

codeout / fluent-plugin-sflow

sFlow plugin for Fluentd
MIT License
11 stars 3 forks source link

Filtering | parsing plugin output. #3

Closed openbsod closed 7 years ago

openbsod commented 7 years ago

Hi!

Thank you for that plugin, it works like a charme. I have few questions:

1) how can I filter ( or filter out ) only fields what I need? As example

'select unix_seconds_utc, src_mac, src_ip, tcp_dst_port, dst_mac, dst_ip, tcp_src_port, in_vlan, out_vlan, dst_as, src_as from sflow'

without fluent-plugin-grep or any other parsing plugin ?

2) how can I start use feature 'report in JSON format' ?

Please, help. Thank you.

codeout commented 7 years ago

1. how can I filter ( or filter out ) only fields what I need? As example

without fluent-plugin-grep or any other parsing plugin ?

No, field selection is not implemented. You can use fileter_record_transformer. (Or filter_record_modifier for speed)

# fluentd.conf

<source>
  @type sflow
  tag  example.sflow
</source>

<filter example.sflow>
  @type record_transformer
  renew_record true
  keep_keys unix_seconds_utc, src_mac, src_ip, tcp_dst_port, dst_mac, dst_ip, tcp_src_port, in_vlan, out_vlan, dst_as, src_as
</filter>

<match example.sflow>
  @type stdout
</match>
2017-11-08 00:54:01 +0900 example.sflow: {"unix_seconds_utc":1510070041,"src_mac":"0019b9ddb264","src_ip":"172.21.32.254","dst_mac":"001c239f150b","dst_ip":"172.21.32.241"}

2. how can I start use feature 'report in JSON format' ?

With sflow packet parser contained in this library, you can easily write ruby based sflowtools like:

require 'json'
require 'pp'
require 'socket'

require 'sflowtool'

sock = UDPSocket.new
sock.bind('0.0.0.0', 6343)

while (data, address = sock.recvfrom(2048))
  str = Sflowtool.parse(data, address[3])
  pp JSON.load(str)
end

This is equivalent to sflowtool -p 6343, but it reports sflows in JSON format.

Enjoy!

openbsod commented 7 years ago

Thank you very much for detailed explanation!