Alerting

Is there already a SNMP MIB for Splunk that sends Splunk alerts to an external console?

gcusello
SplunkTrust
SplunkTrust

Hi at all,
I found the script to send Splunk alerts to an external console (e.g.: IBM Netcool) using SNMP, but does anyone know if there already is a SNMP Splunk MIB to do this?
Usually MIB is defined by the hardware or software supplier!
Thank you.
Bye.
Giuseppe

0 Karma
1 Solution

TStrauch
Communicator

Hi Giuseppe,

i found this in the Splunk Wiki. Hope this helps.

http://wiki.splunk.com/Community:Splunk_Alert_MIB

kind regards

View solution in original post

soumyasaha25
Contributor

The way i did it in one of my integrations was to send SNMP traps to an external console (eg Netcool) via a python script.
So whenever an alert was triggered in Splunk alert action would execute the python script to send the snmp traps. Can you also share how you achieved the integration.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi soumyasaha25,
We realizad a connector that modify Splunk behaviour, because Splunk alert gives 8 parameters:

  • "Number of events returned by the saved search" "Search terms"
  • "Fully qualified search query string"
  • "Name of the saved search"
  • "Reason for saved search to trigger alert"
  • "URL to saved search"
  • "Tags belonging to the saved search, optional"
  • "Path on the Splunk Server to a file containing search results"

but I really need messages contained in the 8th parameter.

So we created a script that runs when alert is triggered and it perform the following actions:

  • it take the 8th parameter from the alert,
  • it untar file containing alert message from the above path,
  • it copy message in the alert's 8th parameter of the Splunk MIB,
  • it send message using Splunk MIB.

In this way the receive can receive the alert message in the Splunk MIB.

Bye.
Giuseppe

0 Karma

rashi83
Explorer

@gcusello  : One question - thanks for explaining the integration method. One question , where did you put the MIB on - Splunk machine or the external device where Splunk alerts will be trapped ?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @rashi83,

the scrips must be on the Search Heads, wher you run the alerts because it's and action of the alert:

  • the external device send its logs to Splunk,
  • Splunk monitor logs running the alert with the defined frequency,
  • Splunk fires the alert where it finds the conditions and run the script that prepare the message and send it to NetCool ot the other destination.

Ciao.

Giuseppe

0 Karma

TStrauch
Communicator

Hi Giuseppe,

i found this in the Splunk Wiki. Hope this helps.

http://wiki.splunk.com/Community:Splunk_Alert_MIB

kind regards

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Thank you.
Bye.
Giuseppe

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!