Getting Data In

Best Practices for SNMP traps from Universal Forwarder

thefilmguy
New Member

I am trying to send SNMP traps from Cisco wireless controllers to our universal forwarder which has net-snmp installed. While I have it working and data is getting to the indexer, I have a few problems listed below. Note that I cannot send traps directly to splunk. All data needs to hit the UF first.

SNMP output is not clean
With the STRING, INTEGER, and other random output between the key values, it's causing Splunk to incorrectly parse them. A hacky way would be for me to use SEDCMD to remove this data in props.conf but it is not working. My assumption is SEDCMD does not work on a Windows indexer but I've been told it should. Is there a better way with net-snmp to prevent this?

2019-12-27 10:14:28 Agent_Address = 0.0.0.0
Agent_Hostname = UDP: [10.20.20.10]:44369->[10.20.20.200]:162
PDU_Attribute_Value_Pair_Array:
sysUpTimeInstance = Timeticks: (1440866000) 166 days, 18:24:20.00
snmpTrapOID.0 = OID: bsnDot11StationAssociate
bsnStationAPMacAddr.0 = STRING: 5c:83:8f:79:6d:40
bsnStationAPIfSlotId.0 = INTEGER: 1
bsnUserIpAddress.0 = IpAddress: 10.20.196.141
bsnStationUserName.0 = STRING: limguest
bsnStationMacAddress.0 = STRING: 78:7e:61:d1:d0:f8
bsnAPName.0 = STRING: "uslcoAP2302"
---

Breaker lines not working
I am having multiple events appear under a single event in Splunk.

props.conf

[snmptrapd]
DATETIME_CONFIG =
KV_MODE = none
LINE_BREAKER = ([\r\n]+)Agent_Address\s=
MAX_TIMESTAMP_LOOKAHEAD = 60
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
TIME_FORMAT = %Y-%m-%d %H:%M:%S
TIME_PREFIX = Date\s=\s
TZ = UTC
category = Custom
description = parse snmptrapd logging with custom kvpair splunk formatting
disabled = false
pulldown_type = true
EXTRACT-node = ^[^\[\n]*\[(?P<node>[^\]]+)
REPORT-snmptrapd = snmptrapd_kv
0 Karma
Get Updates on the Splunk Community!

Fueling your curiosity with new Splunk ILT and eLearning courses

At Splunk Education, we’re driven by curiosity—both ours and yours! That’s why we’re committed to delivering ...

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Splunk AI Assistant for SPL has transformed how users interact with Splunk, making it easier than ever to ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureOn Demand Now Step boldly into the AI revolution with enhanced security ...