All Apps and Add-ons

SNMP Traps not being parsed properly

suhasinihulikal
Explorer

I am trying to collect the traps from a UPS device. When I installed my app on my development instance which is a standalone environment, I was able to collect the data properly.

I then tried to ingest the data to our production environment which is a clustered environment (multiple indexers, search heads and heavy forwarders). I have installed the SNMP TA on one of the Heavy forwarder and all the search heads [SNMP TA is not present on indexers]. From UPS, I am sending the traps to a heavy forwarder and heavy forwrarder is in-turn ingesting it to our indexers. Ports are opened. I am able to receive the data but the data is not being parse properly. I am getting some garbage symbols and values. I have placed a custom MIB for APC UPS in the mibs directory of the app on the Heavy forwarder.

I saw that few people have said that by changing the trap_host in the inputs.conf stanza to DNS or IP has resolved their issue. I tried that as well but still has no luck.

Could you please let me know if I have missed any steps here?

0 Karma

mgnzlz
Engager

Hi, if you werent abe to fix it yet, what you neet to do is in snmm modular input write the splunk server ip on the trap listener port. let me know if ot works

0 Karma

suhasinihulikal
Explorer

I ended up writing the traps to a log file and ingested that log into Splunk.

0 Karma

lakshman239
SplunkTrust
SplunkTrust

In terms of dev and prod, are they diff ones - e.g. aws ec2 for dev and a RHEL for prod? in your prod, do you have DNS/IP resolution ( assuming this works in dev and not in prod per your notes above)? what TA are you using?

0 Karma

suhasinihulikal
Explorer

My dev instance is running on Rhel 7 and my production is running on Rhel 6.

Yes I do have DNS/IP resolution on both my dev and production. I have verified this using nslookup on both my boxes.

I am using SNMP TA (modular input).
In the app, they have mentioned that by default all the events will be ingested to snmp_ta so I did not create any new sourcetypes.
I am not sure if the data that is being ingested in my prod is being encrypted (don't know how to verify this either). The data that is being ingested in my production looks like this.

0e
0aztec\xA7s0c#

0e
0aztec\xA7s0b\xA2
0e
0aztec\xA7s0b\xBA
0e

0 Karma

lakshman239
SplunkTrust
SplunkTrust

I assume you have followed through the documentation in https://splunkbase.splunk.com/app/1537/#/details and loaded activation keys. Are you seeing any errors in 'splunkd.log'?

0 Karma

suhasinihulikal
Explorer

Yes I did follow the same documentation. The only error in Splunkd on the production box is
"message from "python /opt/splunk/etc/apps/snmp_ta/bin/snmp.py" No SNMP response received before timeout snmp_stanza:snmp://test"

I did a btool on snmp://test but that did not yield any result.

0 Karma

lakshman239
SplunkTrust
SplunkTrust

message seems to indicate you are not receiving the TRAPs in prod before time out.. do you have connectivity? or perhaps increase timeout to test?

0 Karma

suhasinihulikal
Explorer

yes we do have connectivity. There are no configurations set for snmp:test because I verified using btool and no result came back.

I do not see any configurations that I can do to increase the timeout from UI. I configured all my inputs using Data Inputs --> SNMP UI option. I do not see any configs related to timeout. Can you please suggest where else I should be increasing the timeout?

0 Karma

lakshman239
SplunkTrust
SplunkTrust

there is an option in inputs.conf for timeout - default is 1 sec.. Pls check etc/apps/snmp_ta/README/inputs.conf.spec for all available settings.

0 Karma

suhasinihulikal
Explorer

I have set the timeout to 15 seconds now. Still not seeing the data in proper format. I am still getting timeout.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...