Splunk Search
Highlighted

Send SNMP using NetSNMP from an Alert

Path Finder

Hi,

I have successfully configured Splunk to send SNMP alerts using NetSNMP via a cmd script file. All good there.

The scenario I have is that I manufacture a node-up / node-down alert based on contents of log files. The log files tell me if a certain component of the software being monitored is functional. This alert works correctly when sent as an email, I effectively return a node-up or node-down as appropriate.

The issue I am having is that the search I run is fairly lengthy and has numerous commas and so forth in it. When I pass it out to the script, because the full script is passed, I am having issues with what actually gets generated for NetSNMP. I am therefore trying to work out a good way of generating a "useful" SNMP trap to send. Instead what I get is bits of the query separated by commas.

I have done a bunch of reading, but haven't actually managed to work out if there is a way I can successfully do this. I considered passing the .gz file, but its location doesn't appear in the text that is output to the command line (it appears in the Splunk event logs, just not in the debug output from the cmd batch script). I am guessing it is because of a length limitation maybe?

Any thoughts? Should I be going to Perl?

Thank you for any hints.

0 Karma
Highlighted

Re: Send SNMP using NetSNMP from an Alert

Influencer

Where are you generating the SNMP string? in Splunk itself? or in NetSNMP? And by NetSNMP do you mean this thing?
http://www.net-snmp.org/

0 Karma
Highlighted

Re: Send SNMP using NetSNMP from an Alert

Path Finder

Hello,
Thankyou for the response. I basically just followed this article : http://wiki.splunk.com/Community:Sending_SNMP_Traps_On_Windows

I use a standard "alert" and get it to run a script. The script is a cmd file that runs Net-SNMP with a set of parameters, including some of the content send to it by the Splunk alert.

0 Karma
Highlighted

Re: Send SNMP using NetSNMP from an Alert

Path Finder

I finally got a chance to revisit this and discovered I had started one document too far .... I have switched from parameters to environment variables and it's all good !!

http://docs.splunk.com/Documentation/Splunk/6.1.4/Alert/Configuringscriptedalerts

View solution in original post

0 Karma