Several options exist to bring SNMP into Splunk, with such examples as our SNMP Modular Input. But what if you already have a SNMP collection built with Cacti? You could consolidate, rebuild and reconfigure all the collection… but the easier option would be to take Cacti, and feed it into Splunk. This is a great example of leveraging one tool to collect the data, but bringing all the information together into a single platform for analytics.
Cacti Mirage is a new plugin release in the Cacti community, which simply grabs the updates of the Cacti poller prior to writing the RRD files, and mirrors a copy out for Splunk to collect using the Splunk Universal Forwarder. You can find a more detailed tutorial and review the Cacti plugin.
ldi="11" t="1454100361" rrdn="traffic_in" rrdv="1820067239"
The simplicity of taking the SNMP polling results, and displaying them as key-value pairs, allows for the automatic extract of these fields within Splunk. The only gap left is the link between the local data ID (ldi) and what it actually means.
Part of the Cacti Mirage Add-On for Splunk (soon to be on splunkbase), includes a script to extract out of the Cacti database the meaning of the local data ID: the host, data source, data type and other information. Splunk receives this, and generates the lookup on the search head to automatically expand the ldi field into the useful pieces of information. You can find more details and contribute to the add-on on Splunkbase.
With that said, you can now take all the collected data in Cacti, build the dashboards in Splunk using all the capabilities which exist there, and even take it to the next level correlating it to other data sources.