This documentation does not apply to the most recent version of Splunk.
This documentation applies to the following versions of Splunk: 2.1 , 2.2 , 2.2.1 , 2.2.3 , 2.2.6
Use Splunk as monitoring tool to send SNMP alerts to other systems such as a Network Systems Management console.
/usr/bin/snmptrap command - if you have another way of sending an SNMP trap from a shell script then modify as needed.
$SPLUNK_HOME/bin/scripts directory of your Splunk install.
$SPLUNK_HOME/bin/scripts directory (create directory if it doesn't already exist)
chmod +x traphosts.pl to make it executable
Host:Port of the SNMP trap handler, paths to external commands splunk and snmptrap, and the user/password if necessary
#!/usr/bin/perl
#
# traphosts.pl: send SNMP trap for each host in the results of a Live Splunk
#
# Modify the following as necessary for your local environment
#
$hostPortSNMP = "snmphost:162"; # Host:Port of snmpd or other SNMP trap handler
$splunkCmd = "/opt/splunk/bin/splunk"; # path to Splunk command line
$snmpTrapCmd = "/usr/bin/snmptrap"; # path to snmptrap, from http://www.net-snmp.org
$OID = "1.3.6.1.4.1.27389.1"; # Object IDentifier for a Live Splunk, Splunk Enterprise OID is 27389
$splunkAuth = "admin:changeme"; # User/password for Splunk
# Parameters passed in from the Live Splunk:
#
($liveSplunkCount) = @ARGV[0] =~ m#<eventCount>(\d+)</eventCount>#; # $1 - get from results summary in XML
$liveSplunkSearchTerms = @ARGV[1]; # $2 - search terms used by Live Splunk
$liveSplunkQuery = @ARGV[2]; # $3 - fully qualified query string of Live Splunk
$liveSplunkName = @ARGV[3]; # $4 - name of Live Splunk
$liveSplunkReason = @ARGV[4]; # $5 - reason Live Splunk fired
$liveSplunkURL = @ARGV[5]; # $6 - URL/Permalink of Live Splunk
($liveSplunkStarttime) = @ARGV[0] =~ m#<starttime>(.+)</starttime>#; # get from results summary in XML
($liveSplunkEndtime) = @ARGV[0] =~ m#<endtime>(.+)</endtime>#; # get from results summary in XML
# Get unique hosts
#
$cmd = qq/$splunkCmd search -get hosts "$liveSplunkSearchTerms starttime::$liveSplunkStarttime endtime::$liveSplunkEndtime" -auth $splunkAuth/;
@hosts = `$cmd`;
push @hosts, "NO_HOSTNAME" if !@hosts;
# Trap parameters sent:
#
# .1 - i - Count of events found by this Live Splunk
# .2 - s - Search terms used by Live Splunk
# .3 - s - URL/Permalink of Live Splunk
# .4 - s - Name of Live Splunk
# .5 - s - Reason Live Splunk fired
# .6 - s - Hostname
# .7 - s - Message
# Send one trap per unique host
#
foreach $hostname (@hosts) {
chomp($hostname);
$message = "Live Splunk $liveSplunkName on $hostname";
$cmd = qq/$snmpTrapCmd -v 1 -c public $hostPortSNMP $OID '' 1 0 '' $OID.1 i $liveSplunkCount $OID.2 s "$liveSplunkSearchTerms" $OID.3 s "$liveSplunkURL" $OID.4 s "$liveSplunkName" $OID.5 s "$liveSplunkReason" $OID.6 s "$hostname" $OID.7 s "$message"/;
system($cmd);
}
The first step is to save a Splunk. You can use any valid terms but for this example:
authentication failure into the Splunk box and hit Enter
Splunks then Save...
bad_logins and click Save
Now make it a Live Splunk by clicking the link Make Live that appears below the Splunk box just after saving, or click the Splunks dropdown and choose Manage my Splunks then click Add Live Splunk to the right of bad_logins. Fill out the details as follows and click Create:
This Live Splunk will run every 5 minutes, and if more than one event is found our script gets called, sending an SNMP trap for each unique hostname found.
For more information on Live Splunks see the Splunk User Manual Saved Splunks & Live Splunks.
