Getting Data In

How to monitor switch, router... and other Cisco devices using SNMP.



Using NET-SNMP on Windows to receive and log SNMP traps to a file, and I want Splunk monitor that file. How to do this?
I installed NET-SNMP on Windows
What is next step?

0 Karma

Splunk Employee
Splunk Employee

Have you taken a look at the Cisco Networks app for Splunk?

Esteemed Legend

Path Finder


This is fairly simple since you will be monitoring just one file containing all your SNMP traps logs.
Assuming your Splunk indexer is located in a dedicated server somewhere else, you will have to install an Universal Forwarder in the Windows instance where the snmp traps log file is located..

Download the Universal Forwarder, install it and as a best practice I would recommend you to create an inputs.conf and outputs.conf file located inside an app, which is basically a directory where you will palce both files for snmp traps, for example:
$SPLUNK_HOME\etc\apps\UF-SNMP_collection. This will be a scalable way of managing all your inputs centrally from a deployment-server.

Universal Forwarder

UF-SNMP_collection > default > inputs.conf

host          = yourhostname
index         = (defaults to *main*, but creating a test index is a best practice)
sourcetype    = snmptraps could be a good one.

UF-SNMP_collection > default > outputs.conf

defaultGroup = default-autolb-group

server = yourindexer:9997

Splunk Indexer or Search Head

Define an app name, for example "APP-SNMP" and then create two sub-folders default and metadata.

If your Splunk indexer is located in the same Windows instance as your snmp traps log file, just place the inputs.conf file together with the props.conf file within this app and discard the outputs.conf file step.

APP-SNMP > default >props.conf

These parameters are examples of best practices for line breaking, and search optimization , you will have to tweak them according to your snmp trap logs timestamp format and location within log. Read about this in Splunk Docs, you don't have to do it, but its good to know it 🙂


# Accurarte line breaking steps 

TIME_FORMAT              = %b %d %H:%M:%S %Z%z %Y 
TIME_PREFIX              = \w+\s\w+\s\d+\s\d+\s\d+:\d+:\d+
LINE_BREAKER             = ([\n\r])\w+\s\w+\s\d+\s\d+\s\d+:\d+:\d+
TRUNCATE                 = 50000

# field extraction

EXTRACT-field_foo       = some regex
EXTRACT-field_bar        = some regex

APP-SNMP > metadata > default.meta

access = read : [ * ], write : [ admin ]
export = system

All the filed extractions should be placed within this app context so you have a better control of it.

Normally when you do the filed extraction in Splunk GUI, the props.conf will be placed in a local folder of the app context you are standing.

Commonly search or launcher, so check either:



but how to send snmp trap from switch to splunk machine, i have installed net-snmp on splunk machine, and configured snmp on switch 😞

0 Karma

Path Finder

Ok , as I understood you are dumping all the SNMP traps into a log file, right?
You will have to either monitor that log file, assuming you have installed Splunk Enterprise in the same machine where the file is, or use an Universal Forwarder as I described above, to monitor that file and forward it to the indexer.

0 Karma


I have installed NET-SNMP on splunk machine (winserver 2008 R2).
1. splunk machine
- edit file C:/usr/ etc/snmp/snmptrapd.conf
authCommunity log public
- Add data ->monitor-> UDP port 162
2. Router
I configured
Router(config)# snmp-server community public ro
Router(config)# snmp-server community public rw
Router(config)# snmp-server host version 2 public

But on splunk machine i didn't receive snmp. what did wrong?

0 Karma


thank you for this reply. this is very helpful!

0 Karma
Get Updates on the Splunk Community!

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...