topic Re: Splunk Alerts / SNMP in Getting Data In

Splunk Alerts / SNMP

DTERM — Wed, 11 Jan 2012 14:30:54 GMT

I've setup a search, and configured Splunk to run a Perl script generating an SNMP message to another system when the script is run. The code for the Perl script follows:

#!/usr/bin/perl
#
$hostPortSNMP = "10.176.156.206:162"; 
# Host:Port of snmpd or other SNMP trap handler
$snmpTrapCmd = "/usr/bin/snmptrap"; 
# Path to snmptrap, from http://www.net-snmp.org
$TRAPOID = "1.3.6.1.4.1.27389.1.2"; 
# Object IDentifier for traps/notifications 
$OID = "1.3.6.1.4.1.27389.1.1";
# Object IDentifier for objects, Splunk Enterprise OID is 27389

$searchCount = $ARGV[0]; # $1 - Number of events returned
$searchTerms = $ARGV[1]; # $2 - Search terms
$searchQuery = $ARGV[2]; # $3 - Fully qualified query string

$searchName = $ARGV[3]; # $4 - Name of saved search
$searchReason = $ARGV[4]; # $5 - Reason saved search triggered
$searchURL = $ARGV[5]; # $6 - URL/Permalink of saved search

$searchTags = $ARGV[6]; # $7 - Always empty as of 4.1
$searchPath = $ARGV[7]; # $8 - Path to raw saved results in Splunk instance (advanced)
$cmd = qq/$snmpTrapCmd -v 2c -c public $hostPortSNMP '' $TRAPOID 

$OID.1 i $searchCount $OID.2 s "$searchTerms" $OID.3 s "$searchQuery" $OID.4 s 
"$searchName" $OID.5 s "$searchReason" $OID.6 s "$searchURL" $OID.7 s 
"$searchTags" $OID.8 s "$searchPath"/;
 system($cmd);

When I run the script at the command line I get the following error:

[root@splunk scripts]# ./sendsnmptrap-a.pl
sh: line 1: 1.3.6.1.4.1.27389.1.1.1: command not found
sh: line 2: : command not found
sh: line 3: : command not found

I doubt this is the accurate result. What is wrong with the script? Does it require parameters that I'm missing?

Thanks in advance!

Re: Splunk Alerts / SNMP

Drainy — Wed, 11 Jan 2012 14:33:01 GMT

While you might get some perly type people pop on and be able to offer some help this is a very specific perl related problem.

You will likely get a very quick answer if you post this on http://stackoverflow.com/ as they are a site designed for questions just like this.

Re: Splunk Alerts / SNMP

DTERM — Wed, 11 Jan 2012 14:58:32 GMT

The three lines at the bottom needed to be combined. The semi colon gave it away. Perl ends every line with a ; character. Now the Perl part is fixed, however I don't believe it is generating the expected SNMP output.

[root@splunk scripts]# ./sendsnmptrap.pl

10.176.156.206:1621.3.6.1.4.1.27389.1.1.1: Bad value name (1.3.6.1.4.1.27389.1.1.2)

Re: Splunk Alerts / SNMP

jan_wohlers — Thu, 28 Mar 2013 14:22:31 GMT

Hi,

did you find the problem? I have the same problem on my machine 😞

Can't fix the Bad value Name error.

Br Jan

Re: Splunk Alerts / SNMP

g2ugzm — Mon, 29 Sep 2014 15:33:25 GMT

You may want to ensure that there are no embedded double quotes in the passed arguments from the splunk alert. The searchQuery for instance may include an exact phrase to search which needs to be quoted.
A little loop before the variables are set works for double quotes:
foreach $entry ( @ARGV ) {
$entry =~ s/\"/\\"/g;
}

I started sending traps after this update.,

Re: Splunk Alerts / SNMP

jrprez1804 — Tue, 24 Feb 2015 17:32:58 GMT

Hi,

Will this script let us see which version of SNMP is running?