Getting Data In
Highlighted

Generate SNMP trap from Splunk

Engager

I have a requirement to generate an SNMP trap and forward it to a monitoring tool whenever a particular log message is received by Splunk. I can't seem to find anything like this in either the product or in an app. The only thing I can think of doing is to configure a forwarder in Splunk to send a copy of these messages to an intermediate process (that I'll build) that will convert the message into an SNMP trap.

Is there any other way to do this? If not, I've never configured a forwarder before. If I set up a forwarder on Splunk that forwards only specific messages, will this forward a copy or the message or will it "consume" the message? I want to be able to still query these messages in Splunk - I just want the additional notification sent via SNMP.

Tags (1)
0 Karma
Highlighted

Re: Generate SNMP trap from Splunk

Engager
Highlighted

Re: Generate SNMP trap from Splunk

Splunk Employee
Splunk Employee

I used that script but modified it to include more detail about the search returned through the raw saved results. It then outputs to a file for viewing results as well as sending the trap to our netcool omnibus system. The only thing you will have to do is customize this script based on your environment and define the mappings in a mib file.

#!/usr/bin/perl

$hostPortSNMP = "IPADDRESS"; # SNMP Destination Host and Port
$snmpTrapCmd = "/usr/bin/snmptrap"; # Path to snmptrap executable, from http://www.net-snmp.org$TrapOID = "1.3.6.1.4.1.27389.1.2"; # Object ID for traps/notifications, Splunk Enterprise OID is 27389
$TRAPOID = "1.3.6.1.4.1.27389.1.2"; # Object IDentifier for traps/notifications
$OID = "1.3.6.1.4.1.27389.1.1"; # Object ID for objects, Splunk Enterprise OID is 27389


$searchCount = $ARGV[0]; # $1 - Number of events returned
$searchTerms = $ARGV[1]; # $2 - Search terms
$searchQuery = $ARGV[2]; # $3 - Fully qualified query string
$searchName = $ARGV[3]; # $4 - Name of saved search
$searchReason = $ARGV[4]; # $5 - Reason saved search triggered
$searchURL = $ARGV[5]; # $6 - URL/Permalink of saved search
$searchTags = $ARGV[6]; # $7 - Always empty as of 4.1
$searchPath = $ARGV[7]; # $8 - Path to raw saved results in Splunk instance (advanced)


use Text::CSV;
my $csv = Text::CSV->new();

`gunzip $searchPath`;
chop($searchPath);
chop($searchPath);
chop($searchPath);
#print $searchPath;

open (CSV,"<",$searchPath) or die "cannot open file:$1";
$count = 0;
while (<CSV>) {
        if ($csv->parse($_)) { 
          # my @columns = $csv->fields();

if ($count =1) {
$val = $columns[1];
@columns = $csv->fields();
}

$count = $count +1;
        } else {
            my $err = $csv->error_input;
            print "Failed to parse line: $err";
        }
    }

@time = scalar localtime();
open (MYOFILE,">>",'/splunk/splunk_alert.log') or die "cannot open output file:$!";
print MYOFILE "@time,$columns[0],$columns[1],$columns[3],$columns[2]\n";
close (MYOFILE);

@args = ("-v", "2c", "-c", "public", $hostPortSNMP, "<sending host field>", $TRAPOID, "$OID.1", "s", "$columns[1]","$OID.2", "s","$columns[2]","$OID.3","s", "$columns[0]","$OID.4", "s","$columns[3]");

#ouput snmp data for debugging
#$myparams = join(" ", @args);

#open (MYOFILE2,">>",'/splunk/splunk_snmp.log') or die "cannot open output file:$!";
#print MYOFILE2 "$snmpTrapCmd $myparams\n";
#close (MYOFILE2);

exec($snmpTrapCmd, @args);


#close (MYOFILE);
close CSV;
Highlighted

Re: Generate SNMP trap from Splunk

Splunk Employee
Splunk Employee
#!/usr/bin/perl

$hostPortSNMP1 = "<IPADDRESS1>"; # SNMP Destination Host and Port multiple addresses if you have a clustered env
$hostPortSNMP2 = "<IPADDRESS2>";
$hostPortSNMP3 = "<IPADDRESS3>";
$snmpTrapCmd = "/usr/bin/snmptrap"; # Path to snmptrap executable, from http://www.net-snmp.org$TrapOID = "1.3.6.1.4.1.27389.1.2"; # Object ID for traps/notifications, Splunk Enterprise OID is 27389
$TRAPOID = "1.3.6.1.4.1.27389.1.2"; # Object IDentifier for traps/notifications
$OID = "1.3.6.1.4.1.27389.1.1"; # Object ID for objects, Splunk Enterprise OID is 27389


$searchCount = $ARGV[0]; # $1 - Number of events returned
$searchTerms = $ARGV[1]; # $2 - Search terms
$searchQuery = $ARGV[2]; # $3 - Fully qualified query string
$searchName = $ARGV[3]; # $4 - Name of saved search
$searchReason = $ARGV[4]; # $5 - Reason saved search triggered
$searchURL = $ARGV[5]; # $6 - URL/Permalink of saved search
$searchTags = $ARGV[6]; # $7 - Always empty as of 4.1
$searchPath = $ARGV[7]; # $8 - Path to raw saved results in Splunk instance (advanced)


use Text::CSV;
my $csv = Text::CSV->new();

`gunzip $searchPath`;
chop($searchPath);
chop($searchPath);
chop($searchPath);

open (CSV,"<",$searchPath) or die "cannot open file:$1";
my $line = <CSV>;
$line = <CSV>; 
chomp($line);
my @columns = split(",",$line);
for (@columns) {
s/\"//g;
}

#To re-enable writing to the splunk_alert.log for debugging remove the commends below 
open (MYOFILE,">>",'/splunk/splunk_alert.log') or die "cannot open output file:$!";
print MYOFILE "$columns[0],support_group=\"${columns[1]}\",host=${columns[2]},severity=\"${columns[3]}\",message=\"${columns[4]}\"\n";
close (MYOFILE);

#Here are the mappings from the array with values from splunk: column[0]=time column[1]=assignment group column[2]=host column[3]=severity column[4]=message

@args1 = ("-v", "2c", "-c", "public", $hostPortSNMP1, "<sending host field>", $TRAPOID, "$OID.1", "s", $columns[0],"$OID.2", "s", $columns[1],"$OID.3","s", $columns[2],"$OID.4", "s",$columns[3], "$OID.5", "s", $columns[4]);

@args2 = ("-v", "2c", "-c", "public", $hostPortSNMP2, "<sending host field>", $TRAPOID, "$OID.1", "s", $columns[0],"$OID.2", "s", $columns[1],"$OID.3","s", $columns[2],"$OID.4", "s",$columns[3], "$OID.5", "s", $columns[4]);

@args3 = ("-v", "2c", "-c", "public", $hostPortSNMP3, "<sending host field>", $TRAPOID, "$OID.1", "s", $columns[0],"$OID.2", "s", $columns[1],"$OID.3","s", $columns[2],"$OID.4", "s",$columns[3], "$OID.5", "s", $columns[4]);


system($snmpTrapCmd, @args1);
system($snmpTrapCmd, @args2);
system($snmpTrapCmd, @args3);

#close (MYOFILE);
close CSV;
Highlighted

Re: Generate SNMP trap from Splunk

Explorer

I have this working on our system. However, I have been asked if it's possible to include the contents of the "message field" in the enable actions of the Splunk Alert? We want to add instructions in that field that will be passed into our open-view system and eventually on to our NOC operators. I am not aware of a Splunk_ARG field for "message field."

0 Karma