Getting Data In

Splunk as a solution for network interface capacity and interface error monitoring?

Engager

Throughout my career, enterprise network interface capacity and interface error monitoring have been a huge monitoring gap in different organizations.

I use Splunk and Cacti together. Cacti is effective at monitoring interface throughput (and errors if configured) but can be challenging at times. I would love to use Splunk for interface throughput and error monitoring but obviously Splunk is designed for syslog.

Splunk has certainly filled the syslog gap. Many users are familiar with SPL. I'm wondering if there's a possibility of Splunk filling the snmp-read/snmp-trap gap where the same users can use their SPL skills to create monitoring solutions for SNMP data.

I know there are add-ons for snmp but it seems to me SNMP is a major monitoring protocol and Splunk is a major monitoring tool. Would it make sense if Splunk was compatible with SNMP out of the box with full support?

Tags (3)

Splunk Employee
Splunk Employee

Hi rrussell2020,

As a long time Splunker and someone who worked in telco and network monitoring space, I faced the same scenario, and while I agree that Splunk is a powerful tool that can do many things, sometimes it is best to let the upstream tools do what they are good at, and simply provide Spunk a summary so we can do what we are good at by marrying those metrics to the logs we already have.

Case in point. Cacti and snmptrapd.

Cacti is a rock solid SNMP poller that is the grandaddy of snmp polling (rrdtool) and can do a great job of taking care of doing the hard work of snmp collection (Spine still rocks all these years later). We used Cacti as well, and so I ended up creating a Cacti plugin to feed the poller data to cacti in nice clean key value pairs.

http://docs.cacti.net/userplugin:mirage

Then created a Splunk app as a proof of concept, - https://www.splunk.com/blog/2016/01/29/splunk-and-cacti/ - that shows how to then use the Cacti backend DB to enrich the KVPairs and glean the knowledge you are looking for. I am hoping to clean up and enhance the splunk app soon, admittedly its very basic and just gets you going as our goal was to feed ITSI.

I have been having tons of fun with the new version of Cacti that forked in some of the great automation plugins with DBConnect and pulling useful info from Cacti's db too!

As for traps I simply used snmptrapd on a nix box to catch traps and load mibs, then used a forwarder to bring that info in.

So really at the end of the day, a couple forwarders running Cacti with our plugin and running snmptrapd and you have cooked up a pretty awesome collection layer that will get you the best of all the work you have already done in Cacti, nicely enhanced and augmented with Splunk to build advanced analytics, alerting or even feed ITSI!

0 Karma