- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- SNMP traps received by Splunk, send notification o...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SNMP traps received by Splunk, send notification only if clear SNMP trap not received within 5 minutes.
All,
I'm wondering if it is possible to have Splunk to monitor SNMP traps, but only to send a notification out if he receives a specific SNMP trap ID without receiving the clear SNMP trap within 5 minutes. If it does receive the clear then Splunk should not notify outside.
Any help would be appreciated.
I can put the command:
host="myhost.localdomain" earliest=-5m | transaction maxspan=5m maxpause=5m | search IDtrap AND NOT IDtrapclear
But with this command as soon as the SNMP Trap will be received, notification will be sent without waiting for a possible clear.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Startcher,
Actually the command works fine but only after the clear is received. I have the same issue. A notification is fired as soon as the trap is received, without waiting for the clear to appear in the 5m window.
Any idea why splunk doesn't wait for the delay to timeout?
Thanks for the help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not having access to sample data I am going to suggest something to look at. Try changing your transaction command. The reference for the command is at http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Transaction?r=splunky
Try something like this:
| transaction maxspan=5m maxpause=5m keepevicted=true startswith=IDtrap endswith=IDtrapclear | search closed_txn=0
If it works what you are telling it is a transaction starts with the trap and ends with the clear. Then you search for non closed transactions which means ones that start with a trap and don't end with a clear.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Actually it doesn't work for Real-Time All Time and Real-Time 1 minute window. But as well for All time search.
Any workaround to have an alert send if this search returns a result after a selected time window ?
Thanks for your help
Command:
host="myhost.localdomain" AND "2001" earliest=-1m | transaction source startswith="2001" endswith="2002" keepevicted=true maxspan=1m maxpause=1m | search closed_txn=0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not sure. If you are running that as a real time search that might be issue.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Startcher,
Actually the command works fine but only after the clear is received. I have the same issue. A notification is fired as soon as the trap is received, without waiting for the clear to appear in the 5m window.
Any idea why splunk doesn't wait for the delay to timeout?
Thanks for the help.
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
