All Apps and Add-ons
Highlighted

SNMP Modular Input deployment

Path Finder

Hi there, I couldn't find a simple info about "where" deploy SNMP Modular Input App for network monitoring SNMP host with splunk: do I need to install the App both on Search Head and also on Indexer? Actually I have some Indexer and a Search Head quering on these. Wich components on Indexer and Search Head ? ("SNMP Modular Input", "pyCrypto")

Thanks in advance

0 Karma
Highlighted

Re: SNMP Modular Input deployment

Ultra Champion

In a distributed architecture I recommend installing the app (all components untarred to etc/apps) on a Forwarder.

View solution in original post

0 Karma
Highlighted

Re: SNMP Modular Input deployment

Path Finder

Thanks Damien, I realized the same, because this App has no GUI! I will install it on a Indexer for a simple test to get SNMP OID data in for a simple test. Then I will use an Intermediate Forwarder on site. In this case I suppose the App it is needed only on the Imtermediate Forwarder. It is true?

0 Karma
Highlighted

Re: SNMP Modular Input deployment

Ultra Champion

Yes , that is correct.

0 Karma
Highlighted

Re: SNMP Modular Input deployment

Path Finder

Hello,

We have installed the app on a heavy forwarder. configured the input Object Name field with 1.1

Now, we are receiving data in from the poll, but we can't tell what it all really means.... should it convert to a more readable format?

0 Karma
Highlighted

Re: SNMP Modular Input deployment

Path Finder

It looks like 1.1 = iso

I think you may want to look at this:

If we look at the OBJECT ciscoCircuitInterfaceGroup

.1.3.6.1.4.1.9.9.160.3.2.1
ciscoCircuitInterfaceGroup OBJECT-TYPE
-- FROM CISCO-CIRCUIT-INTERFACE-MIB
DESCRIPTION "The Cisco Circuit Interface MIB objects."
::= { iso(1) org(3) dod(6) internet(1) private(4) enterprises(1) cisco(9) ciscoMgmt(9) ciscoCircuitInterfaceMIB(160) ciscoCircuitInterfaceMIBConformance(3) ciscoCircuitInterfaceMIBGroups(2) 1 }

You can see how the "1.3.6.1.4.1.9.9.160.3.2.1" is the numeric value.

So, walking the tree back some more....

.1.3.6.1.4.1.9.9.160
ciscoCircuitInterfaceMIB OBJECT-TYPE
-- FROM CISCO-CIRCUIT-INTERFACE-MIB
DESCRIPTION "The MIB module to configure the circuit description
for an interface.
The circuit description can be used to describe and
identify circuits on interfaces like ATM,
frame-relay etc."
::= { iso(1) org(3) dod(6) internet(1) private(4) enterprises(1) cisco(9) ciscoMgmt(9) 160 }

It starts to make more sense as you work in it, but it takes some time.

This is a handy tool:

https://www.marcuscom.com/snmptrans/

Now, reading the data back in.....

I think you will have to build some regex and lookups, unless someone has a better method.

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.