Hi Woodcock, thanks for your support on this, yes i have gone through the link but my requirement is to configure one of the splunk Heavy forwarder instances to receive and index the CISCO prime traps and at the same time I need to have this index=network and sourcetype=network:cisco:primesnmp details configured in inputs.conf stanza.

Kindly guide me whether we can do this via SNMP Modular Input app.

Hi Woodcock, I tried to install the app from splunk base on my test machine, after installing the app, I had followed the below steps to capture the CISCO PRIME SNMP traps.

Steps:
1) Manager-->settings-->datainputs--snmp--new

2) SNMP Mode was set as "Listen for traps"

3) SNMP Version kept as "2c"

4) Community String as "Public"

5) Custom MIBs - "Left Blank"

6) Custom Response Handling
Response Handler --> Left Blank
Response Handler Arguments --> Left Blank

7) SNMP Trap listener settings
TRAP listener host " 10.X.X.X" --> Heavy Forwarder IP Address
TRAP listener port "162"

😎 Reverse DNS lookup of trap sources. --> Left this option "unchecked"

9) Source type set to Manual

10) sourcetype : network:cisco:primesnmp

11) More settings -- > In this setting, I would like to set the index name as network.

Question :

1)How to set the index=network in the more settings ?
2) After saving the settings where I can see the inputs.conf stanza in this app. I mean from /opt/splunk/etc/apps/snmp_ta
3) Which option is better to capture the snmp traps, whether by using the snmptrapd or by using this app.

Kindly guide me on this.
thanks in advance.

@Hemnaath Custom MIBs - you may get from source Cisco device's management portal - download them and place them to your splunk instance machine (HF) at snmp_ta/bin/mibs location

1)How to set the index=network in the more settings ?

Under more settings - to highlight 'network' as index name - you first have to create this 'network' index on splunk. indexer.
Go to indexer machine Settings > indexes > create new index > name and give location of hot/warm/cold buckets.
now come to snmp settings page and then you will get "network" as index listed under this.

2) After saving the settings where I can see the inputs.conf stanza in this app. I mean from /opt/splunk/etc/apps/snmp_ta

/opt/splunk/etc/apps/snmp_ta
inside this location, create a new directory named 'local'
create a new file here and name it "inputs.conf" for any data collection

3) Which option is better to capture the snmp traps, whether by using the snmptrapd or by using this app.

Both ways are right - use one which suits your requirements. I would prefer app.

hi saurabh, In our production environment we have already indexing other network related device data in to the index=network.

But when I tested in my personal laptop after providing the required details I could see the inputs.conf file being placed under this folder /opt/splunk/etc/apps/launcher/local/inputs.conf. can I copy the same and place it in the /opt/splunk/etc/apps/snmp_ta/local/inputs.conf.

I am not sure about the custom MIB, So can I leave that option blank will there be any impact because of it.

Please guide me whether the above steps are correct to capture the remote CISCO prime snmp into the Heavy forwarder instance using the app.

thanks in advance.

1. That input is coming at /opt/splunk/etc/apps/launcher/local/inputs.conf because you made the settings changes in UI Manager-->settings-->datainputs--snmp--new ALthough the movement is not needed as this is your test env. but if you move that wont affect anything except at later point of time if you revisit it under ta_snmp this inputs.conf shall clearly indicate what inputs its used for(as this is under snmp).

MIB is about explanation of some codes.. like http 200 means OK. It adds value for sake of better understanding and clarity. \

steps seems to be correct.

Hi All, I have successfully download and installed the snmptrap with the help of linux administrator.

From the below site you can download the snmptrapd.rpm for "Red Hat Enterprise Linux Server release 7.3 (Maipo)" 64 bit OS.

http://rpm.pbone.net/index.php3

Questions :

1) Should I need add any other configuration details in /etc/snmp/snmptrapd.conf

TRAPD BEHAVIOUR

snmpTrapdAddr udp:127.0.0.1:162,udp6:[::1]:162
doNotLogTraps no

ACCESS CONTROL

authCommunity log,execute,net solarwinds
disableAuthorization no

NOTIFICATION PROCESSING

OTHER CONFIGURATION

2) What configuration details should be added under this file /etc/sysconfig/snmptrapd.

snmptrapd command line options

OPTIONS="-Lsd"

Kindly guide me on this.
thanks in advance

Hi Woodcock, hey I had downloaded the snmptrapd from this link https://sourceforge.net/projects/net-snmp/files/net-snmp/5.7.3/ but I am not sure how to install this package in linux os .

"Download net-snmp-5.6.1.1-1.x86.exe (4.2 MB)"

Kindly let me know how to install this in linux

@Hemnaath -
you are using Red Hat Enterprise Linux Server release 7.3 (Maipo)" 64 bit OS on HF. then .exe fileformat is not for you.

You may download some .gz file version which you can untar in linux OS
tar xvzf -C

Hi saurabh , thanks for your support, can you please provide me the link and exact file to download from the site.

thank in advance