All Apps and Add-ons

SNMP_TA: is it possible to install in indexer?

teddyidc1101
Communicator

Hi - we have distributed deployment in place for Splunk. We wanted to use the SNMP_TA to poll. We have it in the UF and HF installed.

But later we found out that the UF/HF doesn't have connection with the SNMP servers and we are getting errors below:
Error Logs : “SNMP message serialization error snmp_stanza:snmp://mtx_proc_site_1_1”
:“No SNMP response received before timeout snmp_stanza:snmp://mtx_proc_site_1_1”

Since the indexer have the prod connection, can we install the SNMP_TA app in the indexer to access the SNMP prod servers?
If yes, will there be implication in the distributed environment (will it confuse the splunk components?)?

Thank you!

1 Solution

xpac
SplunkTrust
SplunkTrust

It should be possible, however I'd not advise to do this, as indexers shouldn't run such inputs. I'd suggest you either get one of your existing UFs or HFs to be able to access those SNMP targets, or setup another UF/HF in the right place so it's able to do this.

View solution in original post

teddyidc1101
Communicator

thanks you for your response @xpac....Do you see any impact if SNMP_TA is implemented on the indexer ? we are considering the option due to connection setup that has to be done on the environment..we need the data to be ingested... thanks!

0 Karma

ansif
Motivator

Hi @teddyidc1101

If @xpac answer helped you then accept his answer. He deservers the karma points then.

teddyidc1101
Communicator

ok done accepting

0 Karma

niketn
Legend

@teddyidc1101, you should unaccept your answer and then Accept @xpac's answer. You can definitely up vote all the answers/comments that helped using Up Arrow.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

ansif
Motivator

Consider your current overhead in indexer ,if it is fine to handle snmp polling or trap process then go ahead and deploy.

Splunk is not restricting to use instance to act as multi splunk component,only performance matters.

xpac
SplunkTrust
SplunkTrust

It should be possible, however I'd not advise to do this, as indexers shouldn't run such inputs. I'd suggest you either get one of your existing UFs or HFs to be able to access those SNMP targets, or setup another UF/HF in the right place so it's able to do this.

Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...