All Apps and Add-ons
Highlighted

where to validate if the SNMP_Ta was successfully getting data from SNMP agent

Communicator

we installed snmp_ta in our forwarders and based on DS, 100%deployed.

these are the steps we did.
1. created inputs.conf file to defined the following destination, mibnames, objectnames
2. used DS (used reload command) to deploy to a single server

we wanted to check on how to validate the config (aside from running search), since it is not getting the data in the indexer.

0 Karma
Highlighted

Re: where to validate if the SNMP_Ta was successfully getting data from SNMP agent

Super Champion

SNMP modular input app is great one, but is used for making polling compatible with Splunk's conf specs.

So Ensure
1. You put your SNMPTA in a heavyforwarder/Forwarder-with-python installed. Only on ONE forwarder otherwise you will get duplicate data. This is for COLLECTION purpose
2. You need to create an index with your organisation standards (eg idx
mycompany_snmp )
3. Create inputs.conf with snmp pulling details either in an app of yourself or within "local" directory of SNMP-modular-app and put the settings something like below...

[snmpif://hostname]
destination = hostname
snmp_version = 3
v3_securityName = username
v3_authKey = password
snmpinterval = 300
interfaces = 1,5,8,9
index = idx_mycompany_snmp 
# The sourcetype can be whatever you want
sourcetype = snmpif

Then Search within that index

View solution in original post

Highlighted

Re: where to validate if the SNMP_Ta was successfully getting data from SNMP agent

Communicator

thanks on those points...few questions again:
1. this means that we would only install the inputs.conf with the stanzas for all the IP/hostname/ server that it needs to poll to only one server?
2. given the settings below, can you verify if we did it correctly?
[snmp://procsite]
communitystring = public
destination = IP1 --> server IP
do
bulkget = 0
do
getsubtree = 0
index = idx
ipv6 = 0
mib
names = MIBNAME1, MIBNAME1, MIBNAME1 --> custom mibs saved in /snmpta/bin/mibs; does this have to include the extension names? is it ok to have this outside the .egg??
objectnames = {600 OIDs defined} --> is this ok or we need to break it down??
port = 161
snmp
mode = attributes
snmpversion = 2C
sourcetype = sourcetype1
split
bulkoutput = 0
v3
authProtocol = usmHMACMD5AuthProtocol
v3_privProtocol = usmDESPrivProtocol

  1. we are getting the errors below in _internal, does it mean that Python is not running in the forwarder?

0400 ERROR ExecProcessor - message from "python /opt/splunkforwarder/etc/apps/snmpta/bin/snmp.py" pysnmp.smi.error.SmiError: MIB file ".py[co]" not found in search path
0400 ERROR ExecProcessor - message from "python /opt/splunkforwarder/etc/apps/snmp
ta/bin/snmp.py" File "/opt/splunkforwarder/etc/apps/snmpta/bin/pysnmp-4.2.5-py2.7.egg/pysnmp/smi/builder.py", line 270, in loadModules
0400 ERROR ExecProcessor - message from "python /opt/splunkforwarder/etc/apps/snmp
ta/bin/snmp.py" mibBuilder.loadModules(*mibnamesargs)

0 Karma
Highlighted

Re: where to validate if the SNMP_Ta was successfully getting data from SNMP agent

Super Champion
  1. correct. YOu can create any number of such entries in the inputs.conf each in separate stanza
  2. The error it seems app is looking from bundled python. Are you using Universal Forwarder? UF doesn't have python bundled and may not work. Try installing in HF or Normal splunk or may need to find a way to use separate python installation.