×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
davidpridgen
Engager
Member since: ‎09-18-2014
‎06-05-2020
Community Statistics
Posts 1
Solutions 0
Karma Given 0
Karma Received 1
Member Since ‎09-18-2014
View All

SNMP Modular Input: Why are SNMP traps not being t...

by in All Apps and Add-ons
‎10-15-2014 12:01 PM
1 Karma
‎10-15-2014 12:01 PM
1 Karma
I have been trying to translate incoming traps using snmp_ta with a vendor mib and it doesn't appear that the translation is working properly, I am getting the proper names from the mib, but the values aren't being collapsed into proper field=value strings. I am getting the following... in splunk. notification_from_address = "10.134.32.241" notification_from_port = "60716" SNMPv2-MIB::sysUpTime.0 = _BindValue: value=ObjectSyntax: application-wide=ApplicationSyntax: timeticks-value=0 SNMPv2-MIB::snmpTrapOID.0 = _BindValue: value=ObjectSyntax: simple=SimpleSyntax: objectID-value=1.3.6.1.4.1.2.6.245.1.26543.6.2.44 IBMTROYDATABASESYSTEM-MIB::itdbTrapType. = _BindValue().setComponentByPosition(0, ObjectSyntax().setComponentByPosition(0, SimpleSyntax().setComponentByPosition(1, OctetString('Top of Rack Switch')))) IBMTROYDATABASESYSTEM-MIB::itdbTrapSeverity. = _BindValue().setComponentByPosition(0, ObjectSyntax().setComponentByPosition(0, SimpleSyntax().setComponentByPosition(1, OctetString('Warning')))) IBMTROYDATABASESYSTEM-MIB::itdbTrapDateTime. = _BindValue().setComponentByPosition(0, ObjectSyntax().setComponentByPosition(0, SimpleSyntax().setComponentByPosition(1, OctetString('Wed, 15 Oct 2014 18:09:12 UTC')))) IBMTROYDATABASESYSTEM-MIB::itdbComponent. = _BindValue().setComponentByPosition(0, ObjectSyntax().setComponentByPosition(0, SimpleSyntax().setComponentByPosition(1, OctetString('switches Rack: 8739/1000186 Chassis: 0 Bay: 0')))) IBMTROYDATABASESYSTEM-MIB::itdbTrapText. = _BindValue().setComponentByPosition(0, ObjectSyntax().setComponentByPosition(0, SimpleSyntax().setComponentByPosition(1, OctetString('STG 71, topology change detected')))) IBMTROYDATABASESYSTEM-MIB::itdbTrapCategory. = _BindValue().setComponentByPosition(0, ObjectSyntax().setComponentByPosition(0, SimpleSyntax().setComponentByPosition(1, OctetString('CustomerServiceable')))) IBMTROYDATABASESYSTEM-MIB::itdbTrapTypeDetail. = _BindValue().setComponentByPosition(0, ObjectSyntax().setComponentByPosition(0, SimpleSyntax().setComponentByPosition(1, OctetString('Top of Rack Switch')))) IBMTROYDATABASESYSTEM-MIB::itdbTrapObjectDetail. = _BindValue().setComponentByPosition(0, ObjectSyntax().setComponentByPosition(0, SimpleSyntax().setComponentByPosition(1, OctetString('SN#Y250JH28X055 : fd8c:215d:178e:c0de:7699:75ff:fe1f:ee00')))) IBMTROYDATABASESYSTEM-MIB::itdbTrapComponentType. = _BindValue: value=ObjectSyntax: simple=SimpleSyntax: string-value=1 SNMPv2-MIB::sysName. = _BindValue().setComponentByPosition(0, ObjectSyntax().setComponentByPosition(0, SimpleSyntax().setComponentByPosition(1, OctetString('DB2 PDTX (DevInt, DevTest, DTQA and UAT)')))) SNMPv2-MIB::sysLocation. = _BindValue().setComponentByPosition(0, ObjectSyntax().setComponentByPosition(0, SimpleSyntax().setComponentByPosition(1, OctetString('Mindshift Datacenter Commack, NY')))) SNMPv2-MIB::sysContact. = _BindValue().setComponentByPosition(0, ObjectSyntax().setComponentByPosition(0, SimpleSyntax().setComponentByPosition(1, OctetString('xxxx xxxxxl')))) Through the use of some very creative regex in transforms.conf I can extract most of the field values, but it is becoming very difficult to manage as I add more traps. ,I have been trying to get the snmp_ta module to work with some vendor mibs and while I have been able to get the mibs compiled into .py format, it doesn't appear that it is working properly as I am ending up with the following in splunk: notification_from_address = "10.134.32.241" notification_from_port = "60716" SNMPv2-MIB::sysUpTime.0 = _BindValue: value=ObjectSyntax: application-wide=ApplicationSyntax: timeticks-value=0 SNMPv2-MIB::snmpTrapOID.0 = _BindValue: value=ObjectSyntax: simple=SimpleSyntax: objectID-value=1.3.6.1.4.1.2.6.245.1.26543.6.2.44 IBMTROYDATABASESYSTEM-MIB::itdbTrapType. = _BindValue().setComponentByPosition(0, ObjectSyntax().setComponentByPosition(0, SimpleSyntax().setComponentByPosition(1, OctetString('Top of Rack Switch')))) IBMTROYDATABASESYSTEM-MIB::itdbTrapSeverity. = _BindValue().setComponentByPosition(0, ObjectSyntax().setComponentByPosition(0, SimpleSyntax().setComponentByPosition(1, OctetString('Warning')))) IBMTROYDATABASESYSTEM-MIB::itdbTrapDateTime. = _BindValue().setComponentByPosition(0, ObjectSyntax().setComponentByPosition(0, SimpleSyntax().setComponentByPosition(1, OctetString('Wed, 15 Oct 2014 18:09:12 UTC')))) IBMTROYDATABASESYSTEM-MIB::itdbComponent. = _BindValue().setComponentByPosition(0, ObjectSyntax().setComponentByPosition(0, SimpleSyntax().setComponentByPosition(1, OctetString('switches Rack: 8739/1000186 Chassis: 0 Bay: 0')))) IBMTROYDATABASESYSTEM-MIB::itdbTrapText. = _BindValue().setComponentByPosition(0, ObjectSyntax().setComponentByPosition(0, SimpleSyntax().setComponentByPosition(1, OctetString('STG 71, topology change detected')))) IBMTROYDATABASESYSTEM-MIB::itdbTrapCategory. = _BindValue().setComponentByPosition(0, ObjectSyntax().setComponentByPosition(0, SimpleSyntax().setComponentByPosition(1, OctetString('CustomerServiceable')))) IBMTROYDATABASESYSTEM-MIB::itdbTrapTypeDetail. = _BindValue().setComponentByPosition(0, ObjectSyntax().setComponentByPosition(0, SimpleSyntax().setComponentByPosition(1, OctetString('Top of Rack Switch')))) IBMTROYDATABASESYSTEM-MIB::itdbTrapObjectDetail. = _BindValue().setComponentByPosition(0, ObjectSyntax().setComponentByPosition(0, SimpleSyntax().setComponentByPosition(1, OctetString('SN#Y250JH28X055 : fd8c:215d:178e:c0de:7699:75ff:fe1f:ee00')))) IBMTROYDATABASESYSTEM-MIB::itdbTrapComponentType. = _BindValue: value=ObjectSyntax: simple=SimpleSyntax: string-value=1 SNMPv2-MIB::sysName. = _BindValue().setComponentByPosition(0, ObjectSyntax().setComponentByPosition(0, SimpleSyntax().setComponentByPosition(1, OctetString('DB2 PDTX (DevInt, DevTest, DTQA and UAT)')))) SNMPv2-MIB::sysLocation. = _BindValue().setComponentByPosition(0, ObjectSyntax().setComponentByPosition(0, SimpleSyntax().setComponentByPosition(1, OctetString('Mindshift Datacenter Commack, NY')))) SNMPv2-MIB::sysContact. = _BindValue().setComponentByPosition(0, ObjectSyntax().setComponentByPosition(0, SimpleSyntax().setComponentByPosition(1, OctetString('Brian Furnell')))) I have been able to extract field values with some very creative regex in the transforms.conf, however I would prefer to have the data come in in proper fieldname=value format ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:03 AM
Karma from
View All