Hey!
This is fairly simple since you will be monitoring just one file containing all your SNMP traps logs.
Assuming your Splunk indexer is located in a dedicated server somewhere else, you will have to install an Universal Forwarder in the Windows instance where the snmp traps log file is located..
Download the Universal Forwarder, install it and as a best practice I would recommend you to create an inputs.conf and outputs.conf file located inside an app, which is basically a directory where you will palce both files for snmp traps, for example:
$SPLUNK_HOME\etc\apps\UF-SNMP_collection. This will be a scalable way of managing all your inputs centrally from a deployment-server.
Universal Forwarder
UF-SNMP_collection > default > inputs.conf
[monitor://C:\folder1\folder2\snmptraps.log]
host = yourhostname
index = (defaults to *main*, but creating a test index is a best practice)
sourcetype = snmptraps could be a good one.
UF-SNMP_collection > default > outputs.conf
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = yourindexer:9997
Splunk Indexer or Search Head
Define an app name, for example "APP-SNMP" and then create two sub-folders default and metadata.
If your Splunk indexer is located in the same Windows instance as your snmp traps log file, just place the inputs.conf file together with the props.conf file within this app and discard the outputs.conf file step.
APP-SNMP > default >props.conf
These parameters are examples of best practices for line breaking, and search optimization , you will have to tweak them according to your snmp trap logs timestamp format and location within log. Read about this in Splunk Docs, you don't have to do it, but its good to know it 🙂
[snmptraps]
# Accurarte line breaking steps
TIME_FORMAT = %b %d %H:%M:%S %Z%z %Y
TIME_PREFIX = \w+\s\w+\s\d+\s\d+\s\d+:\d+:\d+
LINE_BREAKER = ([\n\r])\w+\s\w+\s\d+\s\d+\s\d+:\d+:\d+
MAX_TIMESTAMP_LOOKAHEAD = 25
TRUNCATE = 50000
# field extraction
EXTRACT-field_foo = some regex
EXTRACT-field_bar = some regex
APP-SNMP > metadata > default.meta
[]
access = read : [ * ], write : [ admin ]
export = system
All the filed extractions should be placed within this app context so you have a better control of it.
Normally when you do the filed extraction in Splunk GUI, the props.conf will be placed in a local folder of the app context you are standing.
Commonly search or launcher, so check either:
$SPLUNK_HOME\etc\apps\launcher\local\props.conf
$SPLUNK_HOME\etc\apps\search\local\props.conf
$SPLUNK_HOME\etc\user\**youruser**\search\local\props.conf
$SPLUNK_HOME\etc\user\**youruser**\launcher\local\props.conf
... View more