Splunk Rules for Netcool

This is the second part of the Splunk integration piece.  Information on configuring Splunk to send SNMP can be found here Sending SNMP Traps from Splunk.  

To receive traps from Netcool we need to set the rules.  The following code can be put into the mttrapd rules file, or better practice says put it in a separate file named something like splunk.rules and then include it in the mttrapd.rules.
 

# Splunk OID that we set in the Splunk SNMP Alerts.
case ".1.3.6.1.4.1.27389.1":

     @Manager = "Splunk"
     @Agent = "Splunk"
             @Class = "300"
     @AlertGroup = "Splunk"
     @Severity = 2 # For this example we hard code the Severity at 2.  This can be changed as needed, or logic can be put in place to decide the severity as Splunk sends or here as Netcool receives.
     @Type = 1 # Hard coded at an alert.  Again, this can be decided by logic on either end.
     @AlertKey = $4  # Live Splunk name
     @Node = "Splunk"  # this needed to be changed based on the information sent.  If alerts sent pertain to a specific IP, use that.  In our case, we just use Splunk to let us know it is a Splunk issue.
     @NodeAlias = $PeerIPaddress
     @Summary    = "Oid1=" + $1 + " | Oid2=" +$2 + " | Oid3=" +$3 + " | Oid4=" +$4 + " | Oid5=" +$5 + " | Oid6=" +$6 + " | Oid7=" +$7 + " | Oid8=" +$8 + " | Oid9=" +$9 + " | Oid10=" +$10 + " | Oid11=" +$11 + " | Oid12=" +$12  # Throws all the OID values to the details summary.  This can be trimmed\cleaned up.
      update(@URL, TRUE)
     @URL = $6 # This will set the URL field, users can then right click on an alert and click URL to launch back into Splunk and view the full report\search.
     @Identifier = " " + @Node + " " + @Agent + " " + @AlertKey + " " + @Summary # This identifies the alert for deduplication purposes.  Change this to fit your identifier structure.  The @Summary makes this a very large key.  It might be better to find another field to key on.
Category: 
Share: 

GuardianMS
Guarding your IT Experience!

Add new comment