Send an SNMP Trap from a Live Splunk
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Send an SNMP Trap from a Live Splunk
Use Splunk as monitoring tool to send SNMP alerts to other systems such as a Network Systems Management console.
Requirements
- Perl is required to run the script below
- Net-SNMP package is required in order to use the
/usr/bin/snmptrapcommand - if you have another way of sending an SNMP trap from a shell script then modify as needed. - Admin access to the
$SPLUNK_HOME/bin/scriptsdirectory of your Splunk install.
Create shell script
- Download the traphosts.pl script to your
$SPLUNK_HOME/bin/scriptsdirectory (create directory if it doesn't already exist) -
chmod +x traphosts.plto make it executable - Change the
Host:Portof the SNMP trap handler, paths to external commandssplunkandsnmptrap, and the user/password if necessary
#!/usr/bin/perl
#
# traphosts.pl: send SNMP trap for each host in the results of a Live Splunk
#
# Modify the following as necessary for your local environment
#
$hostPortSNMP = "snmphost:162"; # Host:Port of snmpd or other SNMP trap handler
$splunkCmd = "/opt/splunk/bin/splunk"; # path to Splunk command line
$snmpTrapCmd = "/usr/bin/snmptrap"; # path to snmptrap, from http://www.net-snmp.org
$OID = "1.3.6.1.4.1.27389.1"; # Object IDentifier for a Live Splunk, Splunk Enterprise OID is 27389
$splunkAuth = "admin:changeme"; # User/password for Splunk
# Parameters passed in from the Live Splunk:
#
($liveSplunkCount) = @ARGV[0] =~ m#<eventCount>(\d+)</eventCount>#; # $1 - get from results summary in XML
$liveSplunkSearchTerms = @ARGV[1]; # $2 - search terms used by Live Splunk
$liveSplunkQuery = @ARGV[2]; # $3 - fully qualified query string of Live Splunk
$liveSplunkName = @ARGV[3]; # $4 - name of Live Splunk
$liveSplunkReason = @ARGV[4]; # $5 - reason Live Splunk fired
$liveSplunkURL = @ARGV[5]; # $6 - URL/Permalink of Live Splunk
($liveSplunkStarttime) = @ARGV[0] =~ m#<starttime>(.+)</starttime>#; # get from results summary in XML
($liveSplunkEndtime) = @ARGV[0] =~ m#<endtime>(.+)</endtime>#; # get from results summary in XML
# Get unique hosts
#
$cmd = qq/$splunkCmd search -get hosts "$liveSplunkSearchTerms starttime::$liveSplunkStarttime endtime::$liveSplunkEndtime" -auth $splunkAuth/;
@hosts = `$cmd`;
push @hosts, "NO_HOSTNAME" if !@hosts;
# Trap parameters sent:
#
# .1 - i - Count of events found by this Live Splunk
# .2 - s - Search terms used by Live Splunk
# .3 - s - URL/Permalink of Live Splunk
# .4 - s - Name of Live Splunk
# .5 - s - Reason Live Splunk fired
# .6 - s - Hostname
# .7 - s - Message
# Send one trap per unique host
#
foreach $hostname (@hosts) {
chomp($hostname);
$message = "Live Splunk $liveSplunkName on $hostname";
$cmd = qq/$snmpTrapCmd -v 1 -c public $hostPortSNMP $OID '' 1 0 '' $OID.1 i $liveSplunkCount $OID.2 s "$liveSplunkSearchTerms" $OID.3 s "$liveSplunkURL" $OID.4 s "$liveSplunkName" $OID.5 s "$liveSplunkReason" $OID.6 s "$hostname" $OID.7 s "$message"/;
system($cmd);
}
Configure Live Splunk to Call Shell Script
The first step is to save a Splunk. You can use any valid terms but for this example:
- type
authentication failureinto the Splunk box and hit Enter - click on
SplunksthenSave... - name it
bad_loginsand clickSave
Now make it a Live Splunk by clicking the link Make Live that appears below the Splunk box just after saving, or click the Splunks dropdown and choose Manage my Splunks then click Add Live Splunk to the right of bad_logins. Fill out the details as follows and click Create:
This Live Splunk will run every 5 minutes, and if more than one event is found our script gets called, sending an SNMP trap for each unique hostname found.
For more information on Live Splunks see the Splunk User Manual Saved Splunks & Live Splunks.
External Links
This documentation applies to the following versions of Splunk: 2.1 , 2.2 , 2.2.1 , 2.2.3 , 2.2.6 View the Article History for its revisions.