Alerting
Highlighted

Send trap NSMP to an external system

Legend

Hi at all,
I have a (probably) very stupid question: I have to send alerts to an external system (IBM NetCool) using SNMP traps.
I configured an alert to run a perl script to do this and runs.
My question is: Splunk passes to the script eight parameters:

  • $ARGV[0]; # $1 - Number of events returned
  • $ARGV[1]; # $2 - Search terms
  • $ARGV[2]; # $3 - Fully qualified query string
  • $ARGV[3]; # $4 - Name of savedsearch
  • $ARGV[4]; # $5 - Reason saved search triggered
  • $ARGV[5]; # $6 - URL/Permalink of saved search
  • $ARGV[6]; # $7 - Always empty as of 4.1
  • $ARGV[7]; # $8 - Path to raw saved results in Splunk instance (advanced)

but I don't see the search results (events that triggered my alert).

How can I pass to NetCool these results?
Maybe NetCool must connect to Splunk to the link of $ARGV[7] ?
It isn't so functional! probably there is another way!

In addition I see that parameters $ARGV[2] and $ARGV[3] give the same value (alert search).

Bye.

Giuseppe

0 Karma
Highlighted

Re: Send trap NSMP to an external system

Champion

Hello @cusello,

Why not just have your script read the $ARGV[5] and send the results? I would also suggest building this as an alert action similar to splunk-add-on-jira-alerts which does things similarly. Also alert actions are first class citizens in Splunk.

View solution in original post

0 Karma
Highlighted

Re: Send trap NSMP to an external system

Legend

Thank you bmacias84,
I did something like you suggested:
in my script I take the tgz file containing results, I explode it and I send results in the 8th field.
Bye.
Giuseppe

0 Karma
Highlighted

Re: Send trap NSMP to an external system

SplunkTrust
SplunkTrust

Did you see the SNMP-ma app?