Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Receiving SNMP alerts without a Data Input configured

erstexas
Path Finder
‎11-01-2012 08:31 AM

I am trying to stop indexing any SNMP traffic on UDP ports 161 and 162 and they are still coming in even though I do NOT have the ports configured on the Data Inputs page. Does anybody know how these alerts would still be coming in?

Also, I tried to manually ignore them with the documented props.conf and transforms.conf approach in the documentation and this is not working either. Here are the contents of this config:

-props.conf- (/opt/splunk/etc/system/local)

[source::udp:161]
TRANSFORMS-null= setnull

[source::udp:162]
TRANSFORMS-null= setnull

-transforms.conf- (/opt/splunk/etc/system/local)

[setnull]
REGEX = . (tried REGEX = (.) as well)
DEST_KEY = queue
FORMAT = nullQueue

And they are still coming in and getting indexed. Any ideas? I'm not sure where/why Splunk is still listening to these 2 ports and why the above approach is not working.

Any ideas?

0 Karma
Reply

gcoles
Communicator
‎11-02-2012 12:06 AM

You can find out whether or not it is Splunk listening on udp:162 with the following command on any splunk server:

 $SPLUNK_HOME/splunk list udp

It is hard to answer further without knowing what your setup is, aka do you use forwarders, do you have an snmptrapd instance logging to files that are ingested by Splunk on the indexer or forwarders, etc. If you use forwarders, it is possible that they have an inputs.conf file somewhere in $SPLUNK_HOME/etc/apps that specifies listening on udp:162, which won't show up in your web UI on the indexer and/or search head(s).

0 Karma
Reply

mikelanghorst
Motivator
‎11-01-2012 01:48 PM

What does the source say for those snmp events. Last I knew Splunk wouldn't receive them directly. Check your snmpd and snmptrapd configuration on the server to ensure they aren't logging to somewhere under /var/log.

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...