Re: snmp mod input retrieving more than it should ...

chris_thuys · ‎09-11-2014

I am using get bulk to download specific columns of the interfaces table ifTable. I do this in an attempt to reduce the amount of data being stored into splunk.

My snmp input works but retrieves more than it should when using get bulk. I retrieve
1.3.6.1.2.1.2.2.1.13 using get bulk and it retrieves all of that branch (102 entries) plus 23 from the next branch. This would be fine except where I also retrieve the next column 1.3.6.1.2.1.2.2.1.13 which retrieves the branch again (102 reentries) leaving me with 125 entries for that branch. The net result when trying to graph the result of he counter types is bad data as they are counter values and you need to use the delta function to calculate the amount of data sent.
Any idea how to get this module to retrieve only the branch requested ala get subtree ?

copy of inputs.conf below.

[snmp://Brocade switch ifInOctets]
communitystring = knotpublic
destination = perat8fca01
do_bulk_get = 1
index = snmp_unix
ipv6 = 0
object_names = 1.3.6.1.2.1.2.2.1.10,1.3.6.1.2.1.2.2.1.13,1.3.6.1.2.1.2.2.1.14
snmp_mode = attributes
snmp_version = 2C
snmpinterval = 120
sourcetype = snmp-get
split_bulk_output = 1
v3_authProtocol = usmHMACMD5AuthProtocol
v3_privProtocol = usmDESPrivProtocol

chris_thuys · ‎09-12-2014

The answer would seem to be a result of the difference between getBulk and nextCmd.
To return the values from a subtree next Cmd should be used.

I solved this issue by editing the SNMP Modular Input app and adding another check box to allow get subtree using the nextCmd function.

I had to edit snmp.py, inputs.conf.spec, and default/data/ui/manager/snmp_manager.xml

snmp mod input retrieving more than it should with get bulk

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?