Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Receiving SNMP alerts without a Data Input configured

erstexas
Path Finder
‎11-01-2012 08:31 AM

I am trying to stop indexing any SNMP traffic on UDP ports 161 and 162 and they are still coming in even though I do NOT have the ports configured on the Data Inputs page. Does anybody know how these alerts would still be coming in?

Also, I tried to manually ignore them with the documented props.conf and transforms.conf approach in the documentation and this is not working either. Here are the contents of this config:

-props.conf- (/opt/splunk/etc/system/local)

[source::udp:161]
TRANSFORMS-null= setnull

[source::udp:162]
TRANSFORMS-null= setnull

-transforms.conf- (/opt/splunk/etc/system/local)

[setnull]
REGEX = . (tried REGEX = (.) as well)
DEST_KEY = queue
FORMAT = nullQueue

And they are still coming in and getting indexed. Any ideas? I'm not sure where/why Splunk is still listening to these 2 ports and why the above approach is not working.

Any ideas?

0 Karma
Reply

gcoles
Communicator
‎11-02-2012 12:06 AM

You can find out whether or not it is Splunk listening on udp:162 with the following command on any splunk server:

 $SPLUNK_HOME/splunk list udp

It is hard to answer further without knowing what your setup is, aka do you use forwarders, do you have an snmptrapd instance logging to files that are ingested by Splunk on the indexer or forwarders, etc. If you use forwarders, it is possible that they have an inputs.conf file somewhere in $SPLUNK_HOME/etc/apps that specifies listening on udp:162, which won't show up in your web UI on the indexer and/or search head(s).

0 Karma
Reply

mikelanghorst
Motivator
‎11-01-2012 01:48 PM

What does the source say for those snmp events. Last I knew Splunk wouldn't receive them directly. Check your snmpd and snmptrapd configuration on the server to ensure they aren't logging to somewhere under /var/log.

Reply
Get Updates on the Splunk Community!

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...

Splunk AppDynamics Agents Webinar Series

Mark your calendars! On June 24th at 12PM PST, we’re going live with the second session of our Splunk ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2025 SplunkTrust is officially open! If you ...