Getting Data In

Splunk as a solution for network interface capacity and interface error monitoring?

rrussell2020
Engager

Throughout my career, enterprise network interface capacity and interface error monitoring have been a huge monitoring gap in different organizations.

I use Splunk and Cacti together. Cacti is effective at monitoring interface throughput (and errors if configured) but can be challenging at times. I would love to use Splunk for interface throughput and error monitoring but obviously Splunk is designed for syslog.

Splunk has certainly filled the syslog gap. Many users are familiar with SPL. I'm wondering if there's a possibility of Splunk filling the snmp-read/snmp-trap gap where the same users can use their SPL skills to create monitoring solutions for SNMP data.

I know there are add-ons for snmp but it seems to me SNMP is a major monitoring protocol and Splunk is a major monitoring tool. Would it make sense if Splunk was compatible with SNMP out of the box with full support?

Tags (3)

mattymo
Splunk Employee
Splunk Employee

Hi rrussell2020,

As a long time Splunker and someone who worked in telco and network monitoring space, I faced the same scenario, and while I agree that Splunk is a powerful tool that can do many things, sometimes it is best to let the upstream tools do what they are good at, and simply provide Spunk a summary so we can do what we are good at by marrying those metrics to the logs we already have.

Case in point. Cacti and snmptrapd.

Cacti is a rock solid SNMP poller that is the grandaddy of snmp polling (rrdtool) and can do a great job of taking care of doing the hard work of snmp collection (Spine still rocks all these years later). We used Cacti as well, and so I ended up creating a Cacti plugin to feed the poller data to cacti in nice clean key value pairs.

http://docs.cacti.net/userplugin:mirage

Then created a Splunk app as a proof of concept, - https://www.splunk.com/blog/2016/01/29/splunk-and-cacti/ - that shows how to then use the Cacti backend DB to enrich the KVPairs and glean the knowledge you are looking for. I am hoping to clean up and enhance the splunk app soon, admittedly its very basic and just gets you going as our goal was to feed ITSI.

I have been having tons of fun with the new version of Cacti that forked in some of the great automation plugins with DBConnect and pulling useful info from Cacti's db too!

As for traps I simply used snmptrapd on a nix box to catch traps and load mibs, then used a forwarder to bring that info in.

So really at the end of the day, a couple forwarders running Cacti with our plugin and running snmptrapd and you have cooked up a pretty awesome collection layer that will get you the best of all the work you have already done in Cacti, nicely enhanced and augmented with Splunk to build advanced analytics, alerting or even feed ITSI!

- MattyMo
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...