#!/usr/bin/perl
#
# traphosts.pl: send SNMP trap for each host in the results of a Live Splunk
#
# Modify the following as necessary for your local environment
#
$hostPortSNMP = "snmphost:162"; # Host:Port of snmpd or other SNMP trap handler
$splunkCmd = "/opt/splunk/bin/splunk"; # path to Splunk command line
$snmpTrapCmd = "/usr/bin/snmptrap"; # path to snmptrap, from http://www.net-snmp.org
$OID = "1.3.6.1.4.1.27389.1"; # Object IDentifier for a Live Splunk, Splunk Enterprise OID is 27389
$splunkAuth = "admin:changeme"; # User/password for Splunk
# Parameters passed in from the Live Splunk:
#
($liveSplunkCount) = @ARGV[0] =~ m#(\d+)#; # $1 - get from results summary in XML
$liveSplunkSearchTerms = @ARGV[1]; # $2 - search terms used by Live Splunk
$liveSplunkQuery = @ARGV[2]; # $3 - fully qualified query string of Live Splunk
$liveSplunkName = @ARGV[3]; # $4 - name of Live Splunk
$liveSplunkReason = @ARGV[4]; # $5 - reason Live Splunk fired
$liveSplunkURL = @ARGV[5]; # $6 - URL/Permalink of Live Splunk
($liveSplunkStarttime) = @ARGV[0] =~ m#(.+)#; # get from results summary in XML
($liveSplunkEndtime) = @ARGV[0] =~ m#(.+)#; # get from results summary in XML
# Get unique hosts
#
$cmd = qq/$splunkCmd search -get hosts "$liveSplunkSearchTerms starttime::$liveSplunkStarttime endtime::$liveSplunkEndtime" -auth $splunkAuth/;
@hosts = `$cmd`;
push @hosts, "NO_HOSTNAME" if !@hosts;
# Trap parameters sent:
#
# .1 - i - Count of events found by this Live Splunk
# .2 - s - Search terms used by Live Splunk
# .3 - s - URL/Permalink of Live Splunk
# .4 - s - Name of Live Splunk
# .5 - s - Reason Live Splunk fired
# .6 - s - Hostname
# .7 - s - Message
# Send one trap per unique host
#
foreach $hostname (@hosts) {
chomp($hostname);
$message = "Live Splunk $liveSplunkName on $hostname";
$cmd = qq/$snmpTrapCmd -v 1 -c public $hostPortSNMP $OID '' 1 0 '' $OID.1 i $liveSplunkCount $OID.2 s "$liveSplunkSearchTerms" $OID.3 s "$liveSplunkURL" $OID.4 s "$liveSplunkName" $OID.5 s "$liveSplunkReason" $OID.6 s "$hostname" $OID.7 s "$message"/;
system($cmd);
}