All Apps and Add-ons
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- SNMP Modular Input: How to use a single input to q...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ikt_kongsbakken
Explorer
09-18-2014
03:02 AM
Hello,
I've had much success after loads of testing with SNMP Modular Input to both register traps and polling devices.
However, now I am trying to use a single input to poll multiple devices I am having errors.
In the destination field of my poll, I have configured 2 IPs to two different devices, in the stanza it is configured as:
10.6.2.15,10.6.2.18
However, according to Wireshark only a GET-REQUEST is only sent to the first host.
I've tried multiple versions, like 10.6.2.15/18, 10.6.2.15,18 etc. but those do not work at all.
Have I misconfigured or is it not possible yet to query multiple hosts?
Both hosts are from the same vendor, so all other values are correct.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ikt_kongsbakken
Explorer
09-18-2014
05:00 AM
It seems that when you press "save", the modular input tries something that doesn't work, thereby generating that error.
The automatic poll after time seems to work okay. I am now getting answers from both hosts.
I think it might be an error during the save when editing the input with SNMP Modular Input.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ikt_kongsbakken
Explorer
09-18-2014
05:00 AM
It seems that when you press "save", the modular input tries something that doesn't work, thereby generating that error.
The automatic poll after time seems to work okay. I am now getting answers from both hosts.
I think it might be an error during the save when editing the input with SNMP Modular Input.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
n00badmin
Communicator
09-18-2014
03:21 AM
Have you checked splunkd.log for errors?
$SPLUNK_HOME/var/log/splunk/splunkd.log
or
Search -> index=_internal ExecProcessor error snmp.py
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ikt_kongsbakken
Explorer
09-18-2014
03:43 AM
Getting this message:
message="message from \"python \"C:\Program Files\Splunk\etc\apps\snmp_ta\bin\snmp.py\"\" Exception with getCmd to 10.6.2.18:161: MIB subtree (1, 3, 6, 1, 6, 3, 10, 2, 1, 4, 0) already registered at MibScalar((1, 3, 6, 1, 6, 3, 10, 2, 1, 4), Integer32()) snmp_stanza:snmp://Poll"
Is it because it is polling the same OIDs from two different devices, using single gets per OID value?
EDIT:
The OID 1.3.6.1.6.3.10.2.1.4 refers to snmpEngineMaxMessageSize
Maybe it is unable to send both requests since their lengths together would be approximatley 335.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
n00badmin
Communicator
09-18-2014
05:01 AM
What does your config look like? are you doing gets to multiple OIDs on these hosts??
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ikt_kongsbakken
Explorer
09-18-2014
05:32 AM
[snmp://Poll]
communitystring = asdf
destination = 10.6.2.15,10.6.2.18
do_bulk_get = 0
ipv6 = 0
mib_names = MIB1-MIB,MIB2-MIB
object_names = OID1,OID2,OID3,OID4
port = 161
snmp_mode = attributes
snmp_version = 1
snmpinterval = 3600
sourcetype = snmp_ta
split_bulk_output = 0
Same OIDs for both devices. Comma delimited, GETs only.
Using an OID viewer, I tried to do a GET-BULK, but it seems to crash the device I tested, because then I need to reboot the device in order to do a GET afterwards.
Get Updates on the Splunk Community!
Extending Splunk AI Assistant for SPL to Splunk Enterprise customers!
Howdy Splunk Community!
It’s an exciting day here at Splunk – Splunk AI Assistant for SPL version 1.3.0 is now ...
Developer Spotlight with Qmulos
Qmulos: Building a Next-Level Cybersecurity Business through Splunk Apps Qmulos started as a scrappy startup ...
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
Enhance Security Operations with Automated Threat Analysis in the Splunk EcosystemAre you leveraging ...
