All Apps and Add-ons

Sending SNMP from Splunk to Netcool

lloydknight
Builder

Hello All,

So I've been searching how to send an SNMP to Netcool and I found these information below:

http://docs.splunk.com/Documentation/Splunk/6.3.12/Alert/SendingSNMPtrapstoothersystems
https://splunkbase.splunk.com/app/3596/#/details

We're currently using Splunk 7.0.3 and it seems that the add-on is the only way to get this requirement done.

I'm not very familiar with this kind of integration as I'm used to getting data in to Splunk, not getting data in to external tools using Splunk.

Though the add-on shows the steps in an orderly manner, but I'm still having a hard time following the steps like how my Splunk search should look like in the parameter $result.host$ and $result.splunk_field_name$? Where can I get the OIDs stated on the configuration?

If I were to use the SendingSNMPtrapstoothersystems on the official doc, are there any workarounds to use it on 7.0? If there is, is there a clear method of procedure to do it with simple examples?

Thank you very much for your help!

0 Karma

hgehrts_splunk
Splunk Employee
Splunk Employee

There are several ways to get data out of splunk. Traps could be one option, syslog another or even writing into a Database could be one. Or start a script (alarm Integration) and let it call nco_postmsg... that’s a custom command from Netcool omnibus to send events into the Netcool omnibus console.

So: it depends what you and the Netcool guy prefer.
Talking about the trap Integration: it should still work... if there are issues, you could still create your own script that does snmptrap (net-snmp) into the Netcool Trap Receiver Probe.

0 Karma

lloydknight
Builder

Hello @hgehrts_splunk,
I would like to use the add-on as much as possible to configure the integration faster. Base on the add-on's details, it's using dummy values for the OIDs as an example which I am confused. I found this link which tells me the Splunk Enterprise OID is 27389. The documentation used "1.3.6.1.4.1.27389.1.1". Is this constant or configurable or where can I find this if ever?

From what I understand on SNMP, the one who sends the data is the one who provides the OID.

0 Karma

kkrishnan_splun
Splunk Employee
Splunk Employee

If your splunk search reads
index=_internal | table host
And while configuring the alert, if you enter your host name to be $result.host$, Splunk would configure the trap to take the value of host in the search result to assign it to host name. $result.$ is only to specify how the resulting fields should be specified.

The OID is usually specified by the trap receiver. Per the link you shared, if the OID for Splunk Enterprise is "1.3.6.1.4.1.27389.1.1", for the SNMP Splunk Modular Alert configuration, set the
Enterprise OID to "1.3.6.1.4.1",
Specific OID to "27389" and
Specific Trap ID to 1.

0 Karma

rashi83
Path Finder

Hi there, 

I followed the steps on https://splunkbase.splunk.com/app/3596/#/details

to configure SNMP traps outside system from Splunk.  I have used the Enterprise OID : 

1.3.6.1.4.1.27389 .  We do not see traps on external system . I have following questions :

 

1. Where does this "=== Netcool Configuration File ===" defined on above link go ? What is the path of the file ?

2. I am seeing this error in internal logs : NoSuchObjectError: NoSuchObjectError({'str': "Can't resolve node name ::('1', '3', '6', '1', '4', '1', '27389', '(blank)') at <pysnmp.smi.view.MibViewController instance at 0x000000DD527EE748>"})

 

This is matter of urgency , please respond . 

@kkrishnan_splun 

 

0 Karma

kkrishnan_splun
Splunk Employee
Splunk Employee

Hello Rashi,

Please find my answers below :

  1. This is not a configuration file. It is just information text to show the mapping within the code to what can be seen on the Netcool end.
  2. It looks like after 27389, there is a space which python code is unable to resolve. Could you please remove this and try again ?
0 Karma

rashi83
Path Finder

Hi Karthika,

Thanks for getting back - there is no space after 27389 . I added few more numbers to it like this "1.3.6.1.4.1.27389.1.2" and still seeing same error . 

2020-08-03 16:30:02,884 ERROR Execution failed: Traceback (most recent call last):
File "C:\Program Files\Splunk\etc\apps\netcool_custom_modular_alert\bin\modular_alert.py", line 542, in execute
return self.run(cleaned_params, payload)
File "C:\Program Files\Splunk\etc\apps\netcool_custom_modular_alert\bin\netcool_custom_modular_alert.py", line 85, in run
(str(enterpriseSNMP_SpecificObjectID)+'.8', rfc1902.OctetString(str(splunksearch)))
File "C:\Program Files\Splunk\etc\apps\netcool_custom_modular_alert\bin\pysnmp\entity\rfc3413\oneliner\ntforg.py", line 173, in sendNotification
**kwargs):
File "C:\Program Files\Splunk\etc\apps\netcool_custom_modular_alert\bin\pysnmp\hlapi\asyncore\sync\ntforg.py", line 114, in sendNotification
lookupMib=options.get('lookupMib', True))
File "C:\Program Files\Splunk\etc\apps\netcool_custom_modular_alert\bin\pysnmp\hlapi\asyncore\ntforg.py", line 145, in sendNotification
vbProcessor.makeVarBinds(snmpEngine, varBinds),
File "C:\Program Files\Splunk\etc\apps\netcool_custom_modular_alert\bin\pysnmp\hlapi\varbinds.py", line 51, in makeVarBinds
varBinds.resolveWithMib(mibViewController)
File "C:\Program Files\Splunk\etc\apps\netcool_custom_modular_alert\bin\pysnmp\smi\rfc1902.py", line 1130, in resolveWithMib
self.__objectIdentity.resolveWithMib(mibViewController)
File "C:\Program Files\Splunk\etc\apps\netcool_custom_modular_alert\bin\pysnmp\smi\rfc1902.py", line 399, in resolveWithMib
tuple(self.__args[0].split('.'))
File "C:\Program Files\Splunk\etc\apps\netcool_custom_modular_alert\bin\pysnmp\smi\view.py", line 210, in getNodeNameByOid
(modName, nodeName, self)
NoSuchObjectError: NoSuchObjectError({'str': "Can't resolve node name ::('1', '3', '6', '1', '4', '1', '27389', '1', '2', '(blank)') at <pysnmp.smi.view.MibViewController instance at 0x0000001E4D9C9748>"})

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...