Solved: Splunk Alerts / SNMP

DTERM · ‎01-11-2012

I've setup a search, and configured Splunk to run a Perl script generating an SNMP message to another system when the script is run. The code for the Perl script follows:

#!/usr/bin/perl
#
$hostPortSNMP = "10.176.156.206:162"; 
# Host:Port of snmpd or other SNMP trap handler
$snmpTrapCmd = "/usr/bin/snmptrap"; 
# Path to snmptrap, from http://www.net-snmp.org
$TRAPOID = "1.3.6.1.4.1.27389.1.2"; 
# Object IDentifier for traps/notifications 
$OID = "1.3.6.1.4.1.27389.1.1";
# Object IDentifier for objects, Splunk Enterprise OID is 27389

$searchCount = $ARGV[0]; # $1 - Number of events returned
$searchTerms = $ARGV[1]; # $2 - Search terms
$searchQuery = $ARGV[2]; # $3 - Fully qualified query string

$searchName = $ARGV[3]; # $4 - Name of saved search
$searchReason = $ARGV[4]; # $5 - Reason saved search triggered
$searchURL = $ARGV[5]; # $6 - URL/Permalink of saved search

$searchTags = $ARGV[6]; # $7 - Always empty as of 4.1
$searchPath = $ARGV[7]; # $8 - Path to raw saved results in Splunk instance (advanced)
$cmd = qq/$snmpTrapCmd -v 2c -c public $hostPortSNMP '' $TRAPOID 

$OID.1 i $searchCount $OID.2 s "$searchTerms" $OID.3 s "$searchQuery" $OID.4 s 
"$searchName" $OID.5 s "$searchReason" $OID.6 s "$searchURL" $OID.7 s 
"$searchTags" $OID.8 s "$searchPath"/;
 system($cmd);

When I run the script at the command line I get the following error:

[root@splunk scripts]# ./sendsnmptrap-a.pl
sh: line 1: 1.3.6.1.4.1.27389.1.1.1: command not found
sh: line 2: : command not found
sh: line 3: : command not found

I doubt this is the accurate result. What is wrong with the script? Does it require parameters that I'm missing?

Thanks in advance!

DTERM · ‎01-11-2012

The three lines at the bottom needed to be combined. The semi colon gave it away. Perl ends every line with a ; character. Now the Perl part is fixed, however I don't believe it is generating the expected SNMP output.

[root@splunk scripts]# ./sendsnmptrap.pl

10.176.156.206:1621.3.6.1.4.1.27389.1.1.1: Bad value name (1.3.6.1.4.1.27389.1.1.2)

View solution in original post

jrprez1804 · ‎02-24-2015

Hi,

Will this script let us see which version of SNMP is running?

g2ugzm · ‎09-29-2014

You may want to ensure that there are no embedded double quotes in the passed arguments from the splunk alert. The searchQuery for instance may include an exact phrase to search which needs to be quoted.
A little loop before the variables are set works for double quotes:
foreach $entry ( @ARGV ) {
$entry =~ s/\"/\\"/g;
}

I started sending traps after this update.,

jan_wohlers · ‎03-28-2013

Hi,

did you find the problem? I have the same problem on my machine 😞

Can't fix the Bad value Name error.

Br Jan

DTERM · ‎01-11-2012

The three lines at the bottom needed to be combined. The semi colon gave it away. Perl ends every line with a ; character. Now the Perl part is fixed, however I don't believe it is generating the expected SNMP output.

[root@splunk scripts]# ./sendsnmptrap.pl

10.176.156.206:1621.3.6.1.4.1.27389.1.1.1: Bad value name (1.3.6.1.4.1.27389.1.1.2)

Drainy · ‎01-11-2012

While you might get some perly type people pop on and be able to offer some help this is a very specific perl related problem.

You will likely get a very quick answer if you post this on http://stackoverflow.com/ as they are a site designed for questions just like this.

Splunk Alerts / SNMP

CX Day is Coming!

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Are you a member of the Splunk Community?

Splunk Alerts / SNMP

CX Day is Coming!

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console