Topics

| pdf version

Welcome

What to do first

Start Splunk

Meet Splunk Web and Splunk Apps

Before you configure

Add data and configure inputs

Indexing and event processing

Timestamps

Add and manage users

Manage indexes

Define alerts

Set up backups and retention policies

Configure data security

Set up forwarding and receiving

Deploy to other Splunk instances

Set up distributed search

Manage search jobs

Use Splunk's command line interface (CLI)

Configuration file reference

Troubleshooting


Toolbox

Splunk > The IT Search Company

  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk

Localized Splunk documentation

Looking for Splunk documentation in other languages?

Documentation | Discussion | View source | History

Send SNMP traps to other systems

This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10

Send SNMP traps to other systems

You can use Splunk as a monitoring tool to send SNMP alerts to other systems such as a Network Systems Management console.

If you're interested in sending SNMP traps on Windows, check this Community Wiki topic.

Configuration

Requirements

  • Perl is required to run the script below.
  • Net-SNMP package is required in order to use the /usr/bin/snmptrap command - if you have another way of sending an SNMP trap from a shell script then modify as needed.
  • Admin access to the $SPLUNK_HOME/bin/scripts directory of your Splunk install.
  • For security reasons, scripts must reside in $SPLUNK_HOME/bin/scripts.

Create shell script

  • Create traphosts.pl script in your $SPLUNK_HOME/bin/scripts directory.
    • For security reasons, scripts must reside in this directory. Create the directory if it doesn't already exist.
    • Copy the code below into sendsnmptrap.pl.
  • chmod +x sendsnmptrap.pl to make it executable.
  • Change the Host:Port of the SNMP trap handler, paths to external commands splunk and snmptrap, and the user/password if necessary.
  • The perl script will work on MS Windows systems with Perl. However, on some Windows systems, perl may not be installed, or perl scripts may not be configured to be directly executable via Splunk. In these cases, you may find it easier to send SNMP traps using a Windows CMD script. 
#!/usr/bin/perl
#
# sendsnmptrap.pl: A script to for Splunk alerts to send an SNMP trap.
#
# Modify the following as necessary for your local environment
#
$hostPortSNMP = "qa-tm1:162"; # Host:Port of snmpd or other SNMP trap handler
$snmpTrapCmd = "/usr/bin/snmptrap"; # Path to snmptrap, from http://www.net-snmp.org
$OID = "1.3.6.1.4.1.27389.1.1"; # Object IDentifier for an alert, Splunk Enterprise OID is 27389
# Parameters passed in from the alert.
# $1-$9 is the positional parameter list. $ARGV[0] starts at $1 in Perl.
$searchCount = $ARGV[0]; # $1 - Number of events returned
$searchTerms = $ARGV[1]; # $2 - Search terms
$searchQuery = $ARGV[2]; # $3 - Fully qualified query string
$searchName = $ARGV[3]; # $4 - Name of saved search
$searchReason = $ARGV[4]; # $5 - Reason saved search triggered
$searchURL = $ARGV[5]; # $6 - URL/Permalink of saved search
if ( $ARGV[7] ) { # We received tags
    $searchTags = $ARGV[6]; # $7 - Tags, if any, otherwise $7 is $8
    $searchPath = $ARGV[7]; # $8 - Path to raw saved results in Splunk instance (advanced)
} else { # We didn't receive tags
    $searchPath = $ARGV[6]; # $7 - Path to raw saved results in Splunk instance (advanced)
}
# Send trap, with the the parameter list above mapping down into the OID.
if ( $ARGV[7] ) { # We received tags
        $cmd = qq/$snmpTrapCmd -v 1 -c public $hostPortSNMP $OID '' 1 0 '' 
$OID.1 i $searchCount $OID.2 s "$searchTerms" $OID.3 s "$searchQuery" $OID.4 s 
"$searchName" $OID.5 s "$searchReason" $OID.6 s "$searchURL" $OID.7 s 
"$searchTags" $OID.8 s "$searchPath"/;
        system($cmd);
} else { # We didn't receive tags
        $cmd = qq/$snmpTrapCmd -v 1 -c public $hostPortSNMP $OID '' 1 0 '' 
$OID.1 i $searchCount $OID.2 s "$searchTerms" $OID.3 s "$searchQuery" $OID.4 s 
"$searchName" $OID.5 s "$searchReason" $OID.6 s "$searchURL" $OID.8 s 
"$searchPath"/;
        system($cmd);
}

Configure your alert to call a shell script

Image:shellscript.png

Here is an example of the script running, including what it returns: 

[root@qa-tm1 ~]# snmptrapd -f -Lo
2007-08-13 16:13:07 NET-SNMP version 5.2.1.2 Started.
2007-08-13 16:14:03 qa-el4.splunk.com [172.16.0.121] (via UDP: [172.16.0.121]:32883) TRAP, SNMP v1, community public
        SNMPv2-SMI::enterprises.27389.1 Warm Start Trap (0) Uptime: 96 days, 20:45:08.35
        SNMPv2-SMI::enterprises.27389.1.1 = INTEGER: 7 SNMPv2-
SMI::enterprises.27389.1.2 = STRING: "sourcetype::syslog" SNMPv2-
SMI::enterprises.27389.1.3 = STRING: "search sourcetype::syslog starttime:12/31
/1969:16:00:00 endtime::08/13/2007:16:14:01" SNMPv2-SMI::enterprises.27389.1.4 
= STRING: "SyslogEventsLast24" SNMPv2-SMI::enterprises.27389.1.5 = STRING: 
"Saved Search [SyslogEventsLast24]: The number of hosts(7) was greater than 1" 
SNMPv2-SMI::enterprises.27389.1.6 = STRING: "http://qa-el4:18000/?q=sourcetype
%3a%3asyslog%20starttimeu%3a%3a0%20endtimeu%3a%3a1187046841" SNMPv2-
SMI::enterprises.27389.1.7 = STRING: "/home/tet/inst/splunk/var/run/splunk
/SyslogEventsLast24"
2007-08-13 16:14:15 NET-SNMP version 5.2.1.2 Stopped.
Retrieved from "http://www.splunk.com/base/Documentation/4.0.4/Admin/SendSNMPtrapstoothersystems"
Revision: 207 Contact Privacy Policy Terms of Use Community content licensed under Creative Commons

Copyright © 2005-2010 Splunk Inc. All rights reserved.