This is fairly simple since you will be monitoring just one file containing all your SNMP traps logs.
Assuming your Splunk indexer is located in a dedicated server somewhere else, you will have to install an Universal Forwarder in the Windows instance where the snmp traps log file is located..
Download the Universal Forwarder, install it and as a best practice I would recommend you to create an inputs.conf and outputs.conf file located inside an app, which is basically a directory where you will palce both files for snmp traps, for example:
$SPLUNK_HOME\etc\apps\UF-SNMP_collection. This will be a scalable way of managing all your inputs centrally from a deployment-server.
UF-SNMP_collection > default > inputs.conf
[monitor://C:\folder1\folder2\snmptraps.log] host = yourhostname index = (defaults to *main*, but creating a test index is a best practice) sourcetype = snmptraps could be a good one.
UF-SNMP_collection > default > outputs.conf
[tcpout] defaultGroup = default-autolb-group [tcpout:default-autolb-group] server = yourindexer:9997
Splunk Indexer or Search Head
Define an app name, for example "APP-SNMP" and then create two sub-folders default and metadata.
If your Splunk indexer is located in the same Windows instance as your snmp traps log file, just place the inputs.conf file together with the props.conf file within this app and discard the outputs.conf file step.
APP-SNMP > default >props.conf
These parameters are examples of best practices for line breaking, and search optimization , you will have to tweak them according to your snmp trap logs timestamp format and location within log. Read about this in Splunk Docs, you don't have to do it, but its good to know it 🙂
[snmptraps] # Accurarte line breaking steps TIME_FORMAT = %b %d %H:%M:%S %Z%z %Y TIME_PREFIX = \w+\s\w+\s\d+\s\d+\s\d+:\d+:\d+ LINE_BREAKER = ([\n\r])\w+\s\w+\s\d+\s\d+\s\d+:\d+:\d+ MAX_TIMESTAMP_LOOKAHEAD = 25 TRUNCATE = 50000 # field extraction EXTRACT-field_foo = some regex EXTRACT-field_bar = some regex
APP-SNMP > metadata > default.meta
 access = read : [ * ], write : [ admin ] export = system
All the filed extractions should be placed within this app context so you have a better control of it.
Normally when you do the filed extraction in Splunk GUI, the props.conf will be placed in a local folder of the app context you are standing.
Commonly search or launcher, so check either:
$SPLUNK_HOME\etc\apps\launcher\local\props.conf $SPLUNK_HOME\etc\apps\search\local\props.conf $SPLUNK_HOME\etc\user\**youruser**\search\local\props.conf $SPLUNK_HOME\etc\user\**youruser**\launcher\local\props.conf
but how to send snmp trap from switch to splunk machine, i have installed net-snmp on splunk machine, and configured snmp on switch 😞
Ok , as I understood you are dumping all the SNMP traps into a log file, right?
You will have to either monitor that log file, assuming you have installed Splunk Enterprise in the same machine where the file is, or use an Universal Forwarder as I described above, to monitor that file and forward it to the indexer.
I have installed NET-SNMP on splunk machine (winserver 2008 R2).
1. splunk machine
- edit file C:/usr/ etc/snmp/snmptrapd.conf
authCommunity log public
- Add data ->monitor-> UDP port 162
Router(config)# snmp-server community public ro
Router(config)# snmp-server community public rw
Router(config)# snmp-server host 192.168.1.100 version 2 public
But on splunk machine i didn't receive snmp. what did wrong?