Getting Started

How Splunk Works

How Splunk Works

Configuring a Splunk Deployment

Data Inputs

Hosts

Source Types

Timestamp Recognition

Events

Event Types

Meta Events

Fields

Segmentation

Saved Searches and Alerts

Authentication

Granular Access Control

Data Distribution

Distributed Search

Deployment Server

Index Management

Bundles

SplunkBase

Performance Tuning

Routine Maintenance

Troubleshooting

Send SNMP traps

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Configuration
Requirements
External Links
Create shell script
Configure your alert to call the shell script

Send SNMP traps

You can use Splunk as a monitoring tool to send SNMP alerts to other systems such as a Network Systems Management console.

Configuration

Requirements

Perl is required to run the script below.
Net-SNMP package is required in order to use the /usr/bin/snmptrap command - if you have another way of sending an SNMP trap from a shell script then modify as needed.
Admin access to the $SPLUNK_HOME/bin/scripts directory of your Splunk install.

External Links

Create shell script

Create traphosts.pl script in your $SPLUNK_HOME/bin/scripts directory (create directory if it doesn't already exist).
- Copy the code below into traphosts.pl.
chmod +x traphosts.pl to make it executable.
Change the Host:Port of the SNMP trap handler, paths to external commands splunk and snmptrap, and the user/password if necessary.

#!/usr/bin/perl
#
# sendtrap.pl: A script to for Splunk alerts to send an SNMP trap.
#
# Modify the following as necessary for your local environment
#
$hostPortSNMP = "qa-tm1:162"; # Host:Port of snmpd or other SNMP trap handler
$snmpTrapCmd = "/usr/bin/snmptrap"; # Path to snmptrap, from http://www.net-snmp.org
$OID = "1.3.6.1.4.1.27389.1"; # Object IDentifier for an alert, Splunk Enterprise OID is 27389
# Parameters passed in from the alert.
# $1-$9 is the positional parameter list. $ARGV[0] starts at $1 in Perl.
$searchCount = $ARGV[0]; # $1 - Number of events returned
$searchTerms = $ARGV[1]; # $2 - Search terms
$searchQuery = $ARGV[2]; # $3 - Fully qualified query string
$searchName = $ARGV[3]; # $4 - Name of saved search
$searchReason = $ARGV[4]; # $5 - Reason saved search triggered
$searchURL = $ARGV[5]; # $6 - URL/Permalink of saved search
if ( $ARGV[7] ) { # We received tags
    $searchTags = $ARGV[6]; # $7 - Tags, if any, otherwise $7 is $8
    $searchPath = $ARGV[7]; # $8 - Path to raw saved results in Splunk instance (advanced)
} else { # We didn't receive tags
    $searchPath = $ARGV[6]; # $7 - Path to raw saved results in Splunk instance (advanced)
}
# Send trap, with the the parameter list above mapping down into the OID.
if ( $ARGV[7] ) { # We received tags
        $cmd = qq/$snmpTrapCmd -v 1 -c public $hostPortSNMP $OID '' 1 0 '' $OID.1 i $searchCount $OID.2 s "$searchTerms" $OID.3 s "$searchQuery" $OID.4 s "$searchName" $OID.5 s "$searchReason" $OID.6 s "$searchURL" $OID.7 s "$searchTags" $OID.8 s "$searchPath"/;
        system($cmd);
} else { # We didn't receive tags
        $cmd = qq/$snmpTrapCmd -v 1 -c public $hostPortSNMP $OID '' 1 0 '' $OID.1 i $searchCount $OID.2 s "$searchTerms" $OID.3 s "$searchQuery" $OID.4 s "$searchName" $OID.5 s "$searchReason" $OID.6 s "$searchURL" $OID.7 s "$searchPath"/;
        system($cmd);
}

Configure your alert to call the shell script

Create a saved search. See Set Up Saved Searches for more information.
Turn your saved search into an alert. See Set up Alerts for more information.
Set up your alert so that it calls your shell script by specifying the following:

Set trigger shell script to the location of your traphosts.pl. If you place traphosts.pl in $SPLUNK_HOME/bin/scripts, you don't have to put in the entire path.

Here is an example of the script running, including what it returns:

[root@qa-tm1 ~]# snmptrapd -f -Lo
2007-08-13 16:13:07 NET-SNMP version 5.2.1.2 Started.
2007-08-13 16:14:03 qa-el4.splunk.com [172.16.0.121] (via UDP: [172.16.0.121]:32883) TRAP, SNMP v1, community public
        SNMPv2-SMI::enterprises.27389.1 Warm Start Trap (0) Uptime: 96 days, 20:45:08.35
        SNMPv2-SMI::enterprises.27389.1.1 = INTEGER: 7 SNMPv2-SMI::enterprises.27389.1.2 = STRING: "sourcetype::syslog" SNMPv2-SMI::enterprises.27389.1.3 = STRING: "search sourcetype::syslog starttime:12/31/1969:16:00:00 endtime::08/13/2007:16:14:01" SNMPv2-SMI::enterprises.27389.1.4 = STRING: "SyslogEventsLast24" SNMPv2-SMI::enterprises.27389.1.5 = STRING: "Saved Search [SyslogEventsLast24]: The number of hosts(7) was greater than 1" SNMPv2-SMI::enterprises.27389.1.6 = STRING: "http://qa-el4:18000/?q=sourcetype%3a%3asyslog%20starttimeu%3a%3a0%20endtimeu%3a%3a1187046841" SNMPv2-SMI::enterprises.27389.1.7 = STRING: "/home/tet/inst/splunk/var/run/splunk/SyslogEventsLast24"
2007-08-13 16:14:15 NET-SNMP version 5.2.1.2 Stopped.

Retrieved from "http://docs.splunk.com/Documentation/Splunk/3.1.3/Admin/SendSNMPTraps"

« Set up Alerts Send syslog events »

This documentation applies to the following versions of Splunk: 3.0 , 3.0.1 , 3.0.2 , 3.1 , 3.1.1 , 3.1.2 , 3.1.3 , 3.1.4 View the Article History for its revisions.

Was this topic useful?
Post a comment

You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!

Admin Manual

Send SNMP traps

Contents

Send SNMP traps

Configuration

Requirements

External Links

Create shell script

Configure your alert to call the shell script

Comments