Hi,
I have the following information captured in splunk
rule=epm-rogue-mac-ep-epmacrogue subject=oper-state-change prevSeverity=warning created=2019-08-09T11:06:32.108+02:00 highestSeverity=warning lastTransition=2019-08-09T11:08:53.057+02:00 origSeverity=warning lc=raised domain=access childAction= ack=no occur=1 delegated=no type=operational descr=EP MAC 00:50:56:AB:68:DE is rogue on interface eth1/4 of Node 219, Pod 1 cause=ep-mac-is-rogue severity=warning code=F3014 changeSet=addr:00:50:56:AB:68:DE, createTs:2019-08-09T04:06:50.402+02:00, flags:local,mac,rogue, ifId:eth1/4, pcTag:32790 status= dn=topology/pod-1/node-219/sys/ctx-[vxlan-2097152]/bd-[vxlan-15400874]/vlan-[vlan-515]/db-ep/rogueMacEP-00:50:56:AB:68:DE/fault-F3014 apic_host=196.50.128.32 component=faultInst
Now for all the alerts for below query
index="cisco-aci" "cause=ep-mac-is-rogue"
I need to create an SNMP trap in spectrum . how can i achieve this ?
Check out the app:
https://splunkbase.splunk.com/app/3291/#/details
OR create your own script as described:
https://docs.splunk.com/Documentation/Splunk/6.2.1/alert/SendingSNMPtrapstoothersystems
Thanks @solarboyz1
But looks like the script is not doing anything for me although the scirpt is getting invoked.
Can you help me with the sample script which is already modified.
As i am not sure how to test it.
Ensure you did the following:
If those are good, you can test the script by executing, it's expecting 9 arguments:
$SPLUNK_HOME/bin/scripts/snmptrap.pl "9" "test" "test" "test" "test" "test" "test" "test" "tes"
The script should run, or output some sort of errors.
If the script runs correctly and you don't see the events in CA:
- tcpdump to verify you see trap being sent, if you don't see trap sent verify you have the snmptrap installed correctly
- Verify CA knows how to handle the configured OID and its not filtered.
- Verify the trap is not blocked between host -> CA
If the trap makes it to CA in test mode, but not when configured as an alert action:
- Verify the Splunk user has permissions to execute the script.
- Checked the savedsearch logs to see if any suppressions are being applied.
- Check internal logs for any errors related to the script or the search
* Check the search logs for any errors
Thanks a lot @solarboyz1 for such elaborate troubleshooting steps.
But i am stuck when the snmptrap command itself runs.
Looks like permission issue is with the permissions. Although it has execute permissions for all
-rwxr-xr-x 1 root root 14680 Oct 10 2012 /usr/bin/snmptrap
But its trying to do below which is failing as all are with root permissions and i am running it with splunk permissions.
Cannot rename /var/lib/net-snmp/snmpapp.conf to /var/lib/net-snmp/snmpapp.0.conf
Cannot unlink /var/lib/net-snmp/snmpapp.conf
read_config_store open failure on /var/lib/net-snmp/snmpapp.conf
read_config_store open failure on /var/lib/net-snmp/snmpapp.conf
read_config_store open failure on /var/lib/net-snmp/snmpapp.conf
sh: line 1: 1.3.6.1.4.1.27389.1.1.1: command not found
Do you suggest to change the permissions of the snmp files or directory or run as root ?
Agree, your issue now deals with a non-root user trying to send an snmptrap.
Check out the following:
https://superuser.com/questions/795889/snmp-with-not-root-user
Check out the app:
https://splunkbase.splunk.com/app/3291/#/details
OR create your own script as described:
https://docs.splunk.com/Documentation/Splunk/6.2.1/alert/SendingSNMPtrapstoothersystems