Splunk® Enterprise

Alerting Manual

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Send SNMP traps to other systems

You can use Splunk as a monitoring tool to send SNMP alerts to other systems such as a Network Management System console.

Note: For information on how to index SNMP alerts on Splunk, read Send SNMP events to Splunk in the Getting Data In manual.

Create a script that sends the SNMP traps

Requirements

Requirements for the example script:

  • Perl is required to run the script.
  • Net-SNMP package is required in order to use the /usr/bin/snmptrap command. If you have another way of sending an SNMP trap from a shell script, modify the script as needed.
  • Make sure there's admin access to the $SPLUNK_HOME/bin/scripts directory.
  • For security reasons, scripts must reside in the $SPLUNK_HOME/bin/scripts directory.

Example script to send SNMP traps to other systems

Note the following:

  • Create the script in the $SPLUNK_HOME/bin/scripts directory. Create the directory if it doesn't already exist. Copy the code listed below into sendsnmptrap.pl.
  • Run chmod +x sendsnmptrap.pl to make the script executable.
  • In the scrpt, change the Host:Port of the SNMP trap handler, the paths to the external commands splunk and snmptrap, and the user/password if necessary.

Sample script code

#!/usr/bin/perl
#
# sendsnmptrap.pl: A script to enable using Splunk alerts to send an SNMP trap.
#
# Modify the following code as necessary for your local environment.
#
$hostPortSNMP = "qa-tm1:162"; # Host:Port of snmpd or other SNMP trap handler
$snmpTrapCmd = "/usr/bin/snmptrap"; # Path to snmptrap, from http://www.net-snmp.org
$TRAPOID = "1.3.6.1.4.1.27389.1.2"; # Object IDentifier for traps/notifications 
$OID = "1.3.6.1.4.1.27389.1.1"; # Object IDentifier for objects, Splunk Enterprise OID is 27389
# Parameters passed in from the alert.
# $1-$9 is the positional parameter list. $ARGV[0] starts at $1 in Perl.
$searchCount = $ARGV[0]; # $1 - Number of events returned
$searchTerms = $ARGV[1]; # $2 - Search terms
$searchQuery = $ARGV[2]; # $3 - Fully qualified query string
$searchName = $ARGV[3]; # $4 - Name of saved search
$searchReason = $ARGV[4]; # $5 - Reason saved search triggered
$searchURL = $ARGV[5]; # $6 - URL/Permalink of saved search
$searchTags = $ARGV[6]; # $7 - Always empty as of 4.1
$searchPath = $ARGV[7]; # $8 - Path to raw saved results in Splunk instance (advanced)

# Send trap, with the parameter list above mapping down into the OID.
$cmd = qq/$snmpTrapCmd -v 2c -c public $hostPortSNMP '' $TRAPOID 
$OID.1 i $searchCount $OID.2 s "$searchTerms" $OID.3 s "$searchQuery" $OID.4 s 
"$searchName" $OID.5 s "$searchReason" $OID.6 s "$searchURL" $OID.7 s 
"$searchTags" $OID.8 s "$searchPath"/;
 system($cmd);

For Windows

This Perl script will work on MS Windows systems with Perl. However, on some Windows systems, Perl may not be installed, or Perl scripts may not be configured to be directly executable via Splunk. In those cases, you might find it easier to use a Windows CMD script, as described in the Splunk community wiki topic Sending SNMP traps on Windows.

Provide an MIB file

You can provide a Splunk MIB file for the SNMP monitoring agent. See the Splunk community wiki topic Splunk Alert MIB for details.

Configure your alert to call the script

Follow these steps:

1. Create an alert. Read About alerts in the Alerting Manual for more information.

2. Set up your alert so that it calls the script. To do so, specify the name of the script (which must reside in $SPLUNK_HOME/bin/scripts).

Shellscript.png

Example script run

Here is an example of the script running, including what it returns:

[root@qa-tm1 ~]# snmptrapd -f -Lo
2007-08-13 16:13:07 NET-SNMP version 5.2.1.2 Started.
2007-08-13 16:14:03 qa-el4.splunk.com [172.16.0.121] (via UDP: [172.16.0.121]:32883) TRAP, SNMP v1, community public
        SNMPv2-SMI::enterprises.27389.1 Warm Start Trap (0) Uptime: 96 days, 20:45:08.35
        SNMPv2-SMI::enterprises.27389.1.1 = INTEGER: 7 SNMPv2-
SMI::enterprises.27389.1.2 = STRING: "sourcetype::syslog" SNMPv2-
SMI::enterprises.27389.1.3 = STRING: "search sourcetype::syslog starttime:12/31
/1969:16:00:00 endtime::08/13/2007:16:14:01" SNMPv2-SMI::enterprises.27389.1.4 
= STRING: "SyslogEventsLast24" SNMPv2-SMI::enterprises.27389.1.5 = STRING: 
"Saved Search [SyslogEventsLast24]: The number of hosts(7) was greater than 1" 
SNMPv2-SMI::enterprises.27389.1.6 = STRING: "http://qa-el4:18000/?q=sourcetype
%3a%3asyslog%20starttimeu%3a%3a0%20endtimeu%3a%3a1187046841" SNMPv2-
SMI::enterprises.27389.1.7 = STRING: "/home/tet/inst/splunk/var/run/splunk
/SyslogEventsLast24"
2007-08-13 16:14:15 NET-SNMP version 5.2.1.2 Stopped.
PREVIOUS
Configure a script for an alert action
 

This documentation applies to the following versions of Splunk® Enterprise: 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14


Comments

Hi @Chris0512
Given the Spectrum use case and your specific questions, I think the best option would be to post this same question on our Answers community forum. This should help you get some advice from other users who might have worked through the same scenario.

https://answers.splunk.com/

We'll also do some research to see if there are any recommendations we can offer. I'll follow up with you directly as we learn more.

Frobinson splunk, Splunker
October 6, 2016

We can successfully send the trap into our Spectrum instance, but how can I send the search results and not just the

$searchPath = $ARGV[7]; # $8 - Path to raw saved results in Splunk instance (advanced)

I would like to have the details placed into spectrum not just a link to where the details are stored in a .gz file

Or the url to run the search
$searchURL = $ARGV[5]; # $6 - URL/Permalink of saved search

It should search, alert and have everything in the alert.

Any help would be greatly appreciated thanks

Chris0512
October 5, 2016

Binoyvincent, yes Splunk Enterprise supports SNMP v.3.

Vgenovese
October 27, 2014

Does Splunk support SNMP version 3?

Binoyvincent
October 26, 2014

Ben363, yes, SNMP uses port 161, which requires root access. There might be a scenario that you can forward port 161 to a port that does not require root access, but that is outside of the scope of the Splunk Enterprise documentation. You could post your question on Splunk Answers to see if this can be done.

Vgenovese
October 20, 2014

Doesn't snmptrap require root access? Is there an equivalent command that doesn't require root access, or a simple way to make snmptrap send traps as a non-root user?

Ben363
September 10, 2014

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters