Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: SNMP Modular Input: Why do I see no data when ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SNMP Modular Input: Why do I see no data when I search for sourcetype=SNMP_TA?
I am trying to receive SNMP traps from a Cisco Wireless LAN Controller. I installed the SNMP_TA app, added a MIB file (SNMPv2-MIB) from Cisco, and originally setup using port 162. After saving I searched for " " and saw the following message:
"ERROR ExecProcessor - message from "python /opt/splunkinstall/splunk/etc/apps/snmp_ta/bin/snmp.py" Failed to register transport and run dispatcher: bind() for ('localhost', 162) failed: [Errno 13] Permission denied snmp_stanza:snmp://XXXXXX".
I then added aN iptables rule:
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 162 -j REDIRECT --to-port 8166
and changed the data input to be equal to 8166. There are no other rules in my iptables. I then did a search for index=_internal error ExecProcessor snmp.py and saw no errors, but I see no SNMP data when I search for sourcetype=SNMP_TA.
Additionally when I do a TCPdump for the host that is supposed to be sending the data, I see the traps.
Below are my input settings as they exist now:
SNMP Mode = Listen for traps
IP Version 6 = Not checked
SNMP Version = 2c
Community String = XXXXXX
MIB Names = SNMPv2-MIB
Response Handler = BLANK
Response Handler Arguments = BLANK
TRAP listener host = XXXXX.XXX.com
TRAP listener port = 8166
Reverse DNS lookup of trap sources = Not checked
Set sourcetype * = Manual
Source Type = cisco:asa
Host field value = localhost.localdomain
Index = access
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1)
Permission denied snmp_stanza:snmp://XXXXXX"
Well , you are likely getting the error for port 162 because this is a privileged port < 1024 and you are not running Splunk with necessary user privileges
2)
I see no SNMP data when I search for sourcetype=SNMP_TA.
Perhaps because you have set the sourcetype above to cisco:asa
3)
added a MIB file (SNMPv2-MIB) from Cisco
FYI : you don't need to do this. By default the SNMP Mod Input ships with several standard core and common MIBs and this is one of them.You can see all these MIBs by unzipping snmp_ta/bin/mibs/pysnmp_mibs-0.1.4-py2.7.egg
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
