Sending SNMP Traps from Splunk

We started with the idea to generate alerts from Splunk that would forward to IBM Tivoli Netcool. This can be used with any SNMP aggregator, and can be customized to send any data that is needed. This article can be used in conjunction with Splunk Rules for Netcool to integrate Splunk with Netcool. This assumes you are running Splunk on *nix.

Requirements:
     Perl www.perl.org
     Net-SNMP package http://net-snmp.sourceforge.net or some other means of sending SNMP Traps.

Here is our trap.pl file:

#!/usr/bin/perl -w $Dest = "XXX.XXX.XXX.XXX:162"; # SNMP Destination Host and Port
$TrapCmd = "/usr/bin/snmptrap"; # Path to snmptrap executable, from http://www.net-snmp.org
$TrapOID = "1.3.6.1.4.1.27389.1.2"; # Object ID for traps/notifications, Splunk Enterprise OID is 27389
<div id='ndzm'><a href='http://www.bissglobal.com/24-hour-home-loan-approval' rel='nofollow'>24 hour home loan approval</a></div>
$OID = "1.3.6.1.4.1.27389.1.1"; # Object ID for objects, Splunk Enterprise OID is 27389


# Parameters are passed from Splunk in the form of environment variables during the .pl call.
# $1-$9 is the positional parameter list. $ARGV[0] starts at $1 in Perl.

$searchCount = $ARGV[0]; # $1 - Number of events returned
$searchTerms = $ARGV[1]; # $2 - Search terms
$searchQuery = $ARGV[2]; # $3 - Fully qualified query string
$searchName = $ARGV[3]; # $4 - Name of saved search
$searchReason = $ARGV[4]; # $5 - Reason saved search triggered
$searchURL = $ARGV[5]; # $6 - URL/Permalink of saved search
$searchPath = $ARGV[7]; # $8 - Path to raw saved results in Splunk instance (advanced)
# You can put logic in to decide severity on this end.  For this example we will hard code it on the Netcool end.

# Build the command using the variables defined above.
$cmd = qq/$snmpTrapCmd -v 2c -c <Community String> $Dest '' $TrapOID $OID.1 i $searchCount $OID.2 s "$searchTerms" $OID.3 s "$searchQuery" $OID.4 s "$searchName" $OID.5 s "$searchReason" $OID.6 s "$searchURL" $OID.8 s "$searchPath"/;

#Run the command
system($cmd);

Modify the variables to match your environment and drop it in $SPLUNK_HOME/bin/scripts. In the Splunk GUI, configure an alert and tell it to run a script. In our case, we called the script trap.pl, so simply enter trap.pl in the script box.

Category: 
Share: 

GuardianMS
Guarding your IT Experience!

Add new comment