Getting Data In

Splunk Alerts / SNMP

Contributor

I've setup a search, and configured Splunk to run a Perl script generating an SNMP message to another system when the script is run. The code for the Perl script follows:

#!/usr/bin/perl
#
$hostPortSNMP = "10.176.156.206:162"; 
# Host:Port of snmpd or other SNMP trap handler
$snmpTrapCmd = "/usr/bin/snmptrap"; 
# Path to snmptrap, from http://www.net-snmp.org
$TRAPOID = "1.3.6.1.4.1.27389.1.2"; 
# Object IDentifier for traps/notifications 
$OID = "1.3.6.1.4.1.27389.1.1";
# Object IDentifier for objects, Splunk Enterprise OID is 27389

$searchCount = $ARGV[0]; # $1 - Number of events returned
$searchTerms = $ARGV[1]; # $2 - Search terms
$searchQuery = $ARGV[2]; # $3 - Fully qualified query string

$searchName = $ARGV[3]; # $4 - Name of saved search
$searchReason = $ARGV[4]; # $5 - Reason saved search triggered
$searchURL = $ARGV[5]; # $6 - URL/Permalink of saved search

$searchTags = $ARGV[6]; # $7 - Always empty as of 4.1
$searchPath = $ARGV[7]; # $8 - Path to raw saved results in Splunk instance (advanced)
$cmd = qq/$snmpTrapCmd -v 2c -c public $hostPortSNMP '' $TRAPOID 

$OID.1 i $searchCount $OID.2 s "$searchTerms" $OID.3 s "$searchQuery" $OID.4 s 
"$searchName" $OID.5 s "$searchReason" $OID.6 s "$searchURL" $OID.7 s 
"$searchTags" $OID.8 s "$searchPath"/;
 system($cmd);

When I run the script at the command line I get the following error:

[root@splunk scripts]# ./sendsnmptrap-a.pl
sh: line 1: 1.3.6.1.4.1.27389.1.1.1: command not found
sh: line 2: : command not found
sh: line 3: : command not found

I doubt this is the accurate result. What is wrong with the script? Does it require parameters that I'm missing?

Thanks in advance!

Tags (1)
1 Solution

Contributor

The three lines at the bottom needed to be combined. The semi colon gave it away. Perl ends every line with a ; character. Now the Perl part is fixed, however I don't believe it is generating the expected SNMP output.

[root@splunk scripts]# ./sendsnmptrap.pl

10.176.156.206:1621.3.6.1.4.1.27389.1.1.1: Bad value name (1.3.6.1.4.1.27389.1.1.2)

View solution in original post

Path Finder

Hi,

Will this script let us see which version of SNMP is running?

0 Karma

New Member

You may want to ensure that there are no embedded double quotes in the passed arguments from the splunk alert. The searchQuery for instance may include an exact phrase to search which needs to be quoted.
A little loop before the variables are set works for double quotes:
foreach $entry ( @ARGV ) {
$entry =~ s/\"/\\"/g;
}

I started sending traps after this update.,

0 Karma

Path Finder

Hi,

did you find the problem? I have the same problem on my machine 😞

Can't fix the Bad value Name error.

Br Jan

0 Karma

Contributor

The three lines at the bottom needed to be combined. The semi colon gave it away. Perl ends every line with a ; character. Now the Perl part is fixed, however I don't believe it is generating the expected SNMP output.

[root@splunk scripts]# ./sendsnmptrap.pl

10.176.156.206:1621.3.6.1.4.1.27389.1.1.1: Bad value name (1.3.6.1.4.1.27389.1.1.2)

View solution in original post

Champion

While you might get some perly type people pop on and be able to offer some help this is a very specific perl related problem.

You will likely get a very quick answer if you post this on http://stackoverflow.com/ as they are a site designed for questions just like this.

0 Karma