Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Send trap NSMP to an external system

gcusello
SplunkTrust
SplunkTrust
‎11-03-2016 04:02 AM

Hi at all,
I have a (probably) very stupid question: I have to send alerts to an external system (IBM NetCool) using SNMP traps.
I configured an alert to run a perl script to do this and runs.
My question is: Splunk passes to the script eight parameters:

  • $ARGV[0]; # $1 - Number of events returned
  • $ARGV[1]; # $2 - Search terms
  • $ARGV[2]; # $3 - Fully qualified query string
  • $ARGV[3]; # $4 - Name of savedsearch
  • $ARGV[4]; # $5 - Reason saved search triggered
  • $ARGV[5]; # $6 - URL/Permalink of saved search
  • $ARGV[6]; # $7 - Always empty as of 4.1
  • $ARGV[7]; # $8 - Path to raw saved results in Splunk instance (advanced)

but I don't see the search results (events that triggered my alert).

How can I pass to NetCool these results?
Maybe NetCool must connect to Splunk to the link of $ARGV[7] ?
It isn't so functional! probably there is another way!

In addition I see that parameters $ARGV[2] and $ARGV[3] give the same value (alert search).

Bye.

Giuseppe

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bmacias84
Champion
‎11-03-2016 07:18 AM

Hello @cusello,

Why not just have your script read the $ARGV[5] and send the results? I would also suggest building this as an alert action similar to splunk-add-on-jira-alerts which does things similarly. Also alert actions are first class citizens in Splunk.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎11-03-2016 03:15 PM

Did you see the SNMP-ma app?

Reply
Solved! Jump to solution
Solution

bmacias84
Champion
‎11-03-2016 07:18 AM

Hello @cusello,

Why not just have your script read the $ARGV[5] and send the results? I would also suggest building this as an alert action similar to splunk-add-on-jira-alerts which does things similarly. Also alert actions are first class citizens in Splunk.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎11-15-2016 07:35 AM

Thank you bmacias84,
I did something like you suggested:
in my script I take the tgz file containing results, I explode it and I send results in the 8th field.
Bye.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...