• How Splunk Works
  • How Splunk Works
    • About Splunk
    • Indexing
    • User interaction
    • Users and access controls
    • Distributed deployments
    • Configuration
    • SplunkBase
    • Developer APIs and integration features
    • Licensing
• Getting Started
  • About the getting started section
  • Installation
  • Administration Basics
    • Add Splunk to your shell path
    • Splunk's CLI
    • Start/stop Splunk, check status
    • Help
  • Change defaults
    • Changing the admin default password
    • Changing network ports
    • Changing the default Splunk server name
    • Changing the datastore location
    • Set minimum free disk space
  • Start Splunk for the first time
  • Find and index data
    • Add Data
    • Tail a file
    • Find logfiles
    • Get help configuring your sources
  • Add more users
    • User roles
    • Splunk local users
    • LDAP
• Configuring a Splunk Deployment
  • Choose a Deployment Model
    • Single server
    • Distributed input
    • Distributed indexing
    • Data redundancy
    • Partitioning
    • Forwarding to non-Splunk systems
    • LDAP integration
  • Decide how Splunk should index your data
    • Create additional indexed fields
    • Tweak default processing
    • Mask sensitive data
    • Change indexing density
    • Eliminate processing steps
    • Filter and route data
  • Install Splunk on every host
  • Configure the forwarding servers
    • Define server classes
    • Inputs
    • Processing properties
    • Data distribution
    • Data policy
    • Authentication
  • Set up the deployment server
    • Configure the deployment server
    • Set up deployment classes
  • Start Splunking
• Data Inputs
  • How input configuration works
    • Data input types
    • Indexing properties
  • Configure inputs via SplunkWeb
    • Configuration
    • Files and directories
    • FIFO queues
    • Network ports
  • Configure inputs via the CLI
    • Data input commands
    • Data input types
    • Examples
  • Scripted inputs
    • Configuration
    • Example
  • File whitelisting / blacklisting
    • Configuration
    • Example
    • Verification tool
• Hosts
  • How host works
    • How host is assigned
    • Host tagging
    • Configuration files for host
  • Set default host for a Splunk server
    • via SplunkWeb
    • via configuration files
  • Define host assignment for an input
    • Statically
    • Dynamically
  • Tag hosts
    • via SplunkWeb
    • Host tags vs host names
  • Extract host per event
    • Configuration
    • Example
  • Host name configuration examples
    • Setting host through inputs.conf
    • Setting host through transforms.conf and props.conf
• Source Types
  • How source types work
    • Sources and source types
    • How sourcetype:: values are set
    • Custom indexing linked to source types
    • Eliminate processing steps
    • Configuration files for source types
  • Set source type for an input
    • via SplunkWeb
    • via configuration files
  • Set a source type for a source
    • via configuration files
  • Train Splunk on a sourcetype
    • via the CLI
  • Create an alias for a source type
    • via SplunkWeb
• Timestamp Recognition
  • How Splunk recognizes timestamps
    • Timestamp precedence
    • Configuration files for timestamps
  • Configure Splunk to recognize a timestamp
    • Positional timestamp extraction
    • Specify timestamp format
    • Set time zone
    • Set Splunk to use the European date format
  • Train Splunk to recognize timestamps
    • About training
    • via the CLI
  • How to configure timezone offsets
    • Configuration
    • Posix TZ formats
    • Examples
  • Tune Timestamping
    • Turn off timestamp lookahead
• Events
  • How events work
    • Event or event type
    • How event recognition works
    • Configuration files for event boundaries
  • Large events
  • Multiline events
    • Configuration
    • Examples
  • Mask sensitive data in an event
    • Configuration
• Event Types
  • How event types work
    • Events versus event types
    • Event type classification
    • Auto-discovery
    • Create new event types
    • Event type tags
    • Configuration files for event types
  • Configure auto-discovery
    • Configuration
    • Example
  • punct::
  • Save event types via SplunkWeb
    • Configuration
    • Example
  • Configure eventtypes.conf
    • Configuration
    • Example
    • Disable event types
  • Considerations for event types in distributed environments
• Meta Events
  • How meta events work
    • Transitive meta events
    • Configuration files for meta events
  • Configure meta events
    • Configuration
    • Examples
• Fields
  • How fields work
    • Search fields vs extracted fields
    • Disable fields entirely
    • Configuration files for fields
  • Define additional extracted fields
    • Configuration
    • Example
  • Field actions
    • Configuration
• Segmentation
  • How segmentation works
    • Configuration files for segmentation
• Saved Searches and Alerts
  • How saved searches work
    • Saved searches
    • Alerting
  • Set up saved searches
    • via SplunkWeb
    • via configuration files
  • Set up Alerts
    • via SplunkWeb
    • via configuration files
    • Script options
  • Send SNMP traps
    • Configuration
  • Send syslog events
    • Configuration
    • Example
  • Considerations for saved searches and alerts in a distributed environment
• Authentication
  • How authentication works
  • SSL
    • Configuration
    • SSL for SplunkWeb
  • Set up users
  • Set up LDAP
    • Configure your Authentication Strategy via SplunkWeb
    • Configure Splunk to use your LDAP server
    • Determine your User and Group Base DN
    • Map existing LDAP groups to Splunk Roles
    • Test your LDAP configuration
    • Sample configurations
• Data Distribution
  • How data distribution works
    • Data forwarding
    • Data routing
    • Data cloning
    • Data balancing
    • Target groups
    • Security
    • Send to 3rd party systems
    • Distributed search
    • Configuration files for data distribution
  • Enable forwarding and receiving
    • Receiving
    • Forwarding
    • Lite-weight forwarding and routing
  • Set up routing
    • Configuration
    • Examples
  • Route data to third-party systems
    • Configuration
    • Example
  • Enable cloning
  • Set up SSL
    • Forwarder
    • Receiver
  • Set up data balancing
    • Configuration
    • Example
  • Filtering and routing
    • Configuration
    • Example
  • Filter data before forwarding
  • Route specific events to an alternate index
    • Configuration
    • Example
• Granular Access Control
  • How Granular Access Control works
    • Configuration files for access controls
• Distributed Search
  • How distributed search works
    • Known issues with distributed search
  • Enable distributed search via SplunkWeb
  • Enable distributed search via the CLI
    • Configuration
  • Configuration files for distributed search
  • Users in a distributed search setup
  • Exclude specific Splunk servers from distributed searches
• Deployment Server
  • How the deployment server works
    • Communication between deployment server and client
    • Configuration files for deployment server
  • Configure a Splunk Deployment Server
    • Create a deployment server
    • Configuration
    • Examples
  • Configure deployment clients
    • Enable the client and server
    • Sync the server and client
  • Configuration changes after initial deployment
  • Using Splunk with 3rd Party configuration management systems
• Index Management
  • How Index Management Works
    • Data management
    • Configuration files for index management
  • Disk usage
    • Set minimum free disk space
    • Set database size
  • Set retirement policy
    • Remove files beyond a certain size
    • Remove files beyond a certain age
  • Automate archiving
    • Use Splunk's index aging policy to archive
  • Restoring archived data
    • Restoring a copied index archive
  • Configuration files for data policy
  • Use separate partitions for Splunk's datastore
    • Set up separate partitions
  • Use WORM (Write Once Read Many) volumes for Splunk's datastore
    • Set up a WORM datastore
  • Reducing Index Density
  • Delete data from the index
    • Delete everything
    • Delete a subset of events
• Bundles
  • What are Bundles?
  • Bundle directory structure
  • Bundle precedence
  • Bundle best practice
    • Testing bundles
• SplunkBase
  • Why use SplunkBase?
  • Sharing add-ons on SplunkBase
    • Creating Add-ons
    • Best practices for making add-ons containing Splunk configuration
    • Submit your add-on
  • Finding and downloading add-ons on SplunkBase
    • Implementing add-ons from SplunkBase
  • Looking up events on SplunkBase
    • Configuration
  • Security and privacy considerations
  • Control user access to SplunkBase
• Performance Tuning
  • Indexing performance
    • Negative impact on indexing performance
    • Processors
    • eventdiscoverer.conf
    • indexes.conf
    • props.conf
    • segmenters.conf
  • Search performance
    • Tuning indexes.conf
    • Tuning props.conf
    • Make SplunkWeb search faster
  • Storage efficiency
    • Reduce index density
    • Tuning inputs.conf
    • Tuning props.conf
    • Tuning segmenters.conf
  • Network utilization
  • CPU and memory footprint
    • Improve CPU usage
    • Improve memory usage
  • Multi-CPU servers
    • indexes.conf
  • 64-bit operating systems
    • indexes.conf
  • Virtual machines
• Routine Maintenance
  • System backups
    • Backups in 3 Easy Steps
  • Monitoring Splunk
    • via SplunkWeb
• How-To
  • Harden a Splunk server
  • Secure network connections
  • Restore a failed server
  • Add or Remove an index
    • Create an index
    • Delete an index
  • Move an index
    • Configuration
  • Change data policy to recover space
  • Anonymize data samples
    • Simple method
    • Advanced method
  • Public server setup
  • Determine daily volume
  • Set up auto-refresh
  • Upgrade your license for more data
  • How to use Splunk 2 Nagios
    • What Nagios logs
    • Install the Splunk2Nagios integration
  • Restore a blocked license
  • Customize the built-in help module
  • Configure GUI Timeout
  • Configure the Get Started module
  • Disable SplunkWeb
    • Edit web.conf
    • Run the disable command
    • Re-enable SplunkWeb
  • Place Splunk behind a web proxy
    • Scenario:
    • Solution:
  • Configure OPSEC LEA Input
    • Installation
    • Checkpoint Modification
    • Configuration
  • Cancel Search
  • Reconstitute Logs
    • Export event data
    • CLI search
  • Strip syslog headers before processing
  • Enable HTTPS
    • configuration
• Troubleshooting
  • Splunkd is down
  • Splunk logfiles
    • Internal logs
    • debug
    • log.cfg
  • License issues
    • Cannot login
    • metrics.log
    • License violation warning
    • Advanced license troubleshooting
    • Cannot access License & Usage tab
    • I installed my license in a Preview release and now it doesn't work!
  • Contact Support
    • Work with Splunk Support
    • Log levels and starting in debug mode
• Reference
  • Splunk CLI
    • CLI commands
    • auth and uri parameters
    • Note for Mac users
  • Pre-trained source types
    • Automatically recognized source types
    • Pre-trained source types
  • Configuration file list
  • access_controls.conf
    • access_controls.conf.spec
  • alert_actions.conf
    • alert_actions.conf.spec
  • auth.conf
    • auth.conf.spec
  • deployment.conf
    • deployment.conf.spec
  • eventdiscoverer.conf
    • eventdiscoverer.conf.spec
  • eventtypes.conf
    • eventtypes.conf.spec contents
  • field_actions.conf
    • field_actions.conf.spec
  • indexes.conf
    • indexes.conf.spec
  • inputs.conf
    • inputs.conf.spec
  • metaevents.conf
    • metaevents.conf.spec
  • outputs.conf
    • outputs.conf.spec
  • prefs.conf
    • prefs.conf.spec
  • props.conf
    • props.conf.spec
  • savedsearches.conf
    • How to read a savedsearches.conf file
    • savedsearches.conf.spec
  • segmenters.conf
    • segmenters.conf.spec
  • server.conf
    • server.conf.spec
  • transforms.conf
    • transforms.conf.spec
  • user-seed.conf
    • user-seed.conf.spec
  • web.conf
    • web.conf.spec

Send SNMP traps

You can use Splunk as a monitoring tool to send SNMP alerts to other systems such as a Network Systems Management console.

Configuration

Requirements

• Perl is required to run the script below.
• Net-SNMP package is required in order to use the /usr/bin/snmptrap command - if you have another way of sending an SNMP trap from a shell script then modify as needed.
• Admin access to the $SPLUNK_HOME/bin/scripts directory of your Splunk install.

External Links

• Perl
• Net-SNMP package

Create shell script

• Create traphosts.pl script in your $SPLUNK_HOME/bin/scripts directory (create directory if it doesn't already exist).
  • Copy the code below into traphosts.pl.
• chmod +x traphosts.pl to make it executable.
• Change the Host:Port of the SNMP trap handler, paths to external commands splunk and snmptrap, and the user/password if necessary.

#!/usr/bin/perl
#
# sendtrap.pl: A script to for Splunk alerts to send an SNMP trap.
#
# Modify the following as necessary for your local environment
#
$hostPortSNMP = "qa-tm1:162"; # Host:Port of snmpd or other SNMP trap handler
$snmpTrapCmd = "/usr/bin/snmptrap"; # Path to snmptrap, from http://www.net-snmp.org
$OID = "1.3.6.1.4.1.27389.1"; # Object IDentifier for an alert, Splunk Enterprise OID is 27389

# Parameters passed in from the alert.
# $1-$9 is the positional parameter list. $ARGV[0] starts at $1 in Perl.

$searchCount = $ARGV[0]; # $1 - Number of events returned
$searchTerms = $ARGV[1]; # $2 - Search terms
$searchQuery = $ARGV[2]; # $3 - Fully qualified query string
$searchName = $ARGV[3]; # $4 - Name of saved search
$searchReason = $ARGV[4]; # $5 - Reason saved search triggered
$searchURL = $ARGV[5]; # $6 - URL/Permalink of saved search

if ( $ARGV[7] ) { # We received tags
    $searchTags = $ARGV[6]; # $7 - Tags, if any, otherwise $7 is $8
    $searchPath = $ARGV[7]; # $8 - Path to raw saved results in Splunk instance (advanced)
} else { # We didn't receive tags
    $searchPath = $ARGV[6]; # $7 - Path to raw saved results in Splunk instance (advanced)
}

# Send trap, with the the parameter list above mapping down into the OID.

if ( $ARGV[7] ) { # We received tags

        $cmd = qq/$snmpTrapCmd -v 1 -c public $hostPortSNMP $OID '' 1 0 '' $OID.1 i $searchCount $OID.2 s "$searchTerms" $OID.3 s "$searchQuery" $OID.4 s "$searchName" $OID.5 s "$searchReason" $OID.6 s "$searchURL" $OID.7 s "$searchTags" $OID.8 s "$searchPath"/;
        system($cmd);

} else { # We didn't receive tags

        $cmd = qq/$snmpTrapCmd -v 1 -c public $hostPortSNMP $OID '' 1 0 '' $OID.1 i $searchCount $OID.2 s "$searchTerms" $OID.3 s "$searchQuery" $OID.4 s "$searchName" $OID.5 s "$searchReason" $OID.6 s "$searchURL" $OID.7 s "$searchPath"/;
        system($cmd);

} 

Configure your alert to call the shell script

• Create a saved search. See Set Up Saved Searches for more information.

• Turn your saved search into an alert. See Set up Alerts for more information.

• Set up your alert so that it calls your shell script by specifying the following:

• Set trigger shell script to the location of your traphosts.pl. If you place traphosts.pl in $SPLUNK_HOME/bin/scripts, you don't have to put in the entire path.

Here is an example of the script running, including what it returns:

[root@qa-tm1 ~]# snmptrapd -f -Lo
2007-08-13 16:13:07 NET-SNMP version 5.2.1.2 Started.
2007-08-13 16:14:03 qa-el4.splunk.com [172.16.0.121] (via UDP: [172.16.0.121]:32883) TRAP, SNMP v1, community public
        SNMPv2-SMI::enterprises.27389.1 Warm Start Trap (0) Uptime: 96 days, 20:45:08.35
        SNMPv2-SMI::enterprises.27389.1.1 = INTEGER: 7 SNMPv2-SMI::enterprises.27389.1.2 = STRING: "sourcetype::syslog" SNMPv2-SMI::enterprises.27389.1.3 = STRING: "search sourcetype::syslog starttime:12/31/1969:16:00:00 endtime::08/13/2007:16:14:01" SNMPv2-SMI::enterprises.27389.1.4 = STRING: "SyslogEventsLast24" SNMPv2-SMI::enterprises.27389.1.5 = STRING: "Saved Search [SyslogEventsLast24]: The number of hosts(7) was greater than 1" SNMPv2-SMI::enterprises.27389.1.6 = STRING: "http://qa-el4:18000/?q=sourcetype%3a%3asyslog%20starttimeu%3a%3a0%20endtimeu%3a%3a1187046841" SNMPv2-SMI::enterprises.27389.1.7 = STRING: "/home/tet/inst/splunk/var/run/splunk/SyslogEventsLast24"
2007-08-13 16:14:15 NET-SNMP version 5.2.1.2 Stopped.