topic Re: SPlunk SNMP TRAP to get IP address in Search Query in Splunk Search

SPlunk SNMP TRAP to get IP address in Search Query

sahils — Mon, 03 Apr 2017 12:51:46 GMT

We have modified spectrum alerts for unix and it’s been sent to snmptrap and its working. We don’t have ip address for windows machine in splunk. We have to figure out a way to get ip address in to splunk for those windows machines either by batch scripts or to try using wmi.conf.

Can you please help for the same, HOw we can get IP address in WIndows server.

Thanks,
Sahil

Re: SPlunk SNMP TRAP to get IP address in Search Query

woodcock — Mon, 03 Apr 2017 13:43:07 GMT

Just use dnslookup as described here:

https://answers.splunk.com/answers/105246/dns-resolution-in-a-search.html

Re: SPlunk SNMP TRAP to get IP address in Search Query

sahils — Mon, 03 Apr 2017 14:27:59 GMT

Hello,

Below are the query and if we add dns its not working

index=perfmon sourcetype="Perfmon:Memory" source="Perfmon:Memory" counter="% Committed Bytes In Use"
|dedup host|eval unique_id=md5(_raw)
|search [inputlookup win_memalert.csv|fields host]
|eventstats avg(Value) as used_percent by host
|append [inputlookup win_memalert.csv]
|eval threshold=case(used_percent<70, "Stable", used_percent>=70 AND used_percent<85,"Warning", used_percent>=85, "Critical")
|stats first(used_percent) as used_percent, last(used_percent) as last_used_percent, first(threshold) as threshold, last(threshold) as last_threshold, last(unique_id) as unique_id, first(_time) as _time by host
|eval state=case(used_percent<70 AND threshold=last_threshold, "still_stable", used_percent<70, "stable", used_percent>=70 AND used_percent<85 AND threshold=last_threshold, "existing", used_percent >= 85 AND threshold=last_threshold, "existing", used_percent>=85 AND  threshold!=last_threshold, "shift_critical", used_percent<85 AND used_percent>=70 AND threshold!=last_threshold, "shift_warning")
|search state!="still_stable" 
|eval action=case(state="new", "post", state="existing", "nothing", state="stable", "clear", state="shift_warning", "recede", state="shift_critical", "escalate")
|table _time, host, used_percent, last_used_percent, threshold, last_threshold, unique_id, state, action
|append [search index=perfmon sourcetype="Perfmon:Memory" source="Perfmon:Memory" counter="% Committed Bytes In Use" | dedup host |search NOT 
[
|inputlookup win_memalert.csv|fields host
]
|eval unique_id=md5(_raw)
|eventstats avg(Value) as used_percent by host
|where used_percent>70
|eval threshold=case(used_percent<70, "Stable", used_percent>=70 AND used_percent<85,"Warning", used_percent>=85, "Critical")
|fillnull state value="new"|eval action=case(state="new", "post")
|eval title="win_Memory_Exceeds_Percent_by_Host"
|table _time, host, used_percent, last_used_percent, threshold, last_threshold, unique_id, state, action]
|outputlookup win_memalert.csv | search action!="nothing"
|eval alert_type="Windows Memory Alert" | eval 1=alert_type, 2=host, 3=used_percent, 4=threshold, 5=action, 6=unique_id
|fields 1 2 3 4 5 6
|createsnmptrap |

Thanks,
Sahil

Re: SPlunk SNMP TRAP to get IP address in Search Query

woodcock — Mon, 03 Apr 2017 23:23:50 GMT

Add 3 lines before you last 4 so that your last 7 lines look like this:

| lookup dnslook clientip AS host OUTPUT clienthost
| eval host=coalesce(clienthost, host)
| fields - clienthost
| outputlookup win_memalert.csv | search action!="nothing"
| eval alert_type="Windows Memory Alert" | eval 1=alert_type, 2=host, 3=used_percent, 4=threshold, 5=action, 6=unique_id
| fields 1 2 3 4 5 6
| createsnmptrap

Re: SPlunk SNMP TRAP to get IP address in Search Query

sahils — Tue, 29 Sep 2020 13:31:54 GMT

We run Query and add 3 lines also add number 7 IP address in fields but not geeting IP data

index=perfmon sourcetype="Perfmon:LogicalDisk" source="Perfmon:LogicalDisk" counter="% Free Space" |dedup host |eval unique_id=md5(_raw) |search [inputlookup win_disk.csv|fields host]
|eventstats avg(Value) as disk_free_space by host
|eval used_percent= (100-disk_free_space)
|append [inputlookup win_disk.csv]
|eval threshold=case(used_percent<95, "Stable", used_percent>=95 AND used_percent<98,"Warning", used_percent>=98, "Critical")
|stats first(used_percent) as used_percent, last(used_percent) as last_used_percent, first(threshold) as threshold, last(threshold) as last_threshold, last(unique_id) as unique_id, first(_time) as _time by host
|eval state=case(used_percent<95, "stable", used_percent<95 AND threshold=last_threshold, "still_stable" , used_percent>=95 AND used_percent<98 AND threshold=last_threshold, "existing", used_percent>=98 AND threshold=last_threshold, "existing", used_percent>=98 AND threshold!=last_threshold, "shift_critical", used_percent<98 AND used_percent>=95 AND threshold!=last_threshold, "shift_warning")
|search state!="still_stable"
|eval action=case(state="new", "post", state="existing", "nothing", state="stable", "clear", state="shift_warning", "recede", state="shift_critical", "escalate")
|table host, used_percent, last_used_percent, threshold, last_threshold, unique_id, _time, state, action
| append [search index=perfmon sourcetype="Perfmon:LogicalDisk" source="Perfmon:LogicalDisk" counter="% Free Space" |dedup host | search NOT
[
|inputlookup win_disk.csv|fields host
]
|eval unique_id=md5(_raw)
|eventstats avg(Value) as disk_free_space by host
|eval used_percent= (100-disk_free_space)
| where used_percent>=95
| eval threshold=case(used_percent<95,"Stable",used_percent>=95 AND used_percent<98,"Warning", used_percent>=98,"Critical")
|fillnull state value="new"|eval action=case(state="new", "post")
| eval title="win_disk_Used_Exceeds_Perc_by_Host"
|table host, used_percent, last_used_percent, threshold, last_threshold, unique_id, _time, state, action]
|outputlookup win_disk.csv
|eval alert_type="Windows Disk Alert" | eval 1=alert_type, 2=host, 3=used_percent, 4=threshold, 5=action, 6=unique_id, 7=ip
|fields 1 2 3 4 5 6 7
|createsnmptrap

100 Per Page Format Preview
1 2 3 4 5 6 7 _time
Windows Disk Alert uslv-dapp-bsm02 95.705941 Warning nothing 832eb3f3cfdeec78fcd72e0131e740fb 2017-04-04 04:01:20

Please suggest

Thanks,
Sahil

Re: SPlunk SNMP TRAP to get IP address in Search Query

sahils — Mon, 10 Apr 2017 12:01:57 GMT

Please update and help for the same .

Thanks,
Sahil

Re: SPlunk SNMP TRAP to get IP address in Search Query

sahils — Mon, 01 May 2017 14:42:58 GMT

Please help us for the same.

Thanks,
Sahil