Forums: SplunkGeneral: Import custom MIBs

Is it possible to import custom MIBs into splunk, so it can understand SNMP Traps from different vendors?

Splunk does not have any concept of structured data such as MIB's. However, you can certainly configure Splunk to understand the timestamp, linebreaking, and field properties of a given MIB so that the information looks as it should in the Splunk user interface. If you have a specific problem with a trap, please let me know.

What we are trying to do is interpret SNMP traps sent from Symantec Netbackup System.
They show which jobs have completed, which backup jobs have errors, etc.

The traps arrive like this

0\x82\x02l\x2\x1\x1\x4\x3NOMｧ\x82\x02`\x2\x2\x13\x2\x1

So with the Mib, we should be able to translate those cryptic characters into something readable.

I'm guessing this is doable, but would require a services engagement?

Check out this page:

http://www.splunk.com/doc/3.3/admin/sourceSNMP

This would be the easiest way to set up the SNMP listener. Once the data comes in via the FIFO, it should no longer be binary/hex like the above message.

[Revised on Mon, 09 Jun 2008 14:49:48 -0700]

Sorry, try this link instead:

http://www.splunk.com/doc/latest/admin/sourceSNMP

Continuing on wth my newbie questions...

Which SNMP trap daemon should i use for Windows?

I think understand the rest of the parts (create a FIFO listener and point to the FIFO file generated by snmptrapd)

[Revised on Mon, 09 Jun 2008 16:05:15 -0700]

Ok, Net-SNMP seems to have a trap receiver that may work for windows. Will see if it can output as FIFO and report back.

Yeah, that would be the one I would recommend. If you can't do FIFO on windows, just have it export to a text file and tail the file/directory using the followTail = 1 config so that it only eats new data in the file directory.