All Apps and Add-ons

SNMP_TA: is it possible to install in indexer?

teddyidc1101
Communicator

Hi - we have distributed deployment in place for Splunk. We wanted to use the SNMP_TA to poll. We have it in the UF and HF installed.

But later we found out that the UF/HF doesn't have connection with the SNMP servers and we are getting errors below:
Error Logs : “SNMP message serialization error snmp_stanza:snmp://mtx_proc_site_1_1”
:“No SNMP response received before timeout snmp_stanza:snmp://mtx_proc_site_1_1”

Since the indexer have the prod connection, can we install the SNMP_TA app in the indexer to access the SNMP prod servers?
If yes, will there be implication in the distributed environment (will it confuse the splunk components?)?

Thank you!

1 Solution

xpac
SplunkTrust
SplunkTrust

It should be possible, however I'd not advise to do this, as indexers shouldn't run such inputs. I'd suggest you either get one of your existing UFs or HFs to be able to access those SNMP targets, or setup another UF/HF in the right place so it's able to do this.

View solution in original post

teddyidc1101
Communicator

thanks you for your response @xpac....Do you see any impact if SNMP_TA is implemented on the indexer ? we are considering the option due to connection setup that has to be done on the environment..we need the data to be ingested... thanks!

0 Karma

ansif
Motivator

Hi @teddyidc1101

If @xpac answer helped you then accept his answer. He deservers the karma points then.

teddyidc1101
Communicator

ok done accepting

0 Karma

niketn
Legend

@teddyidc1101, you should unaccept your answer and then Accept @xpac's answer. You can definitely up vote all the answers/comments that helped using Up Arrow.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

ansif
Motivator

Consider your current overhead in indexer ,if it is fine to handle snmp polling or trap process then go ahead and deploy.

Splunk is not restricting to use instance to act as multi splunk component,only performance matters.

xpac
SplunkTrust
SplunkTrust

It should be possible, however I'd not advise to do this, as indexers shouldn't run such inputs. I'd suggest you either get one of your existing UFs or HFs to be able to access those SNMP targets, or setup another UF/HF in the right place so it's able to do this.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...