I'm using Splunk 7.0.0 with an cluster setup for our indexer and a dedicated syslog server where also snmp traps are collected.
This Server has a universal forwarder installed.
For the first SNMP input configuration it works like a charm but now I try to get another one working but it doesn't work.
If I restart the splunk forwarder to activate the configuration changes there are no error messages/warnings regarding the SNMP Module in there. But as soon as the first trap from the second application arrives on the server, it will generate error messages.
It looks like the splunk forwarder can not make a difference between the different community strings. He always tries to use the APPLICATION1. No matter if the string is equal or not with the configuration.
Does someone has implemented more than one SNMP input with the SNMP Modular Input AddOn and differnt community strings and differnt indexes? It should be possible to configure more than one SNMP Input, isn't it?
I read the Developer Blog again, and found out that for the Trap listener part, you can only set the listener port and the listener host.
So it Looks like all other stuff in the configuration (inputs.conf) is only for the active polling section.
Then you have to configure everything else with the props.conf and transforms.conf.
But the configuration of the MIB names will be used because it will translate the OID to readable names.
You have to check if the SNMP Service from your Operating System will accept traps with different community strings.
You have to configure all the needed MIB files into the inputs.conf file. Maybe you have to confert special MIB files first into *.py files.
You have to setup a propper configuration in your props.conf and transforms.conf files.
If that is done, the SNMP traps of the different sources will be indexed as you want.