Alerting

Splunk alert by SNMP traps

oferprtz
Path Finder

Hi

im using Splunk 6.02
I'm sending Trap to our monitor system (NNM).
the first value arg need to be Number of events returned.
and actualy we are getting the number of statistic raw.
so if we have 4 statisics raw - we will get number 4.
and we want to see the number of events we have and not the number of raw.
we except to get the real Number of events returned and it isn't 1.
The values available in the environment are as follows:

• SPLUNK_ARG_0 Script name
• SPLUNK_ARG_1 Number of events returned
• SPLUNK_ARG_2 Search terms
• SPLUNK_ARG_3 Fully qualified query string
• SPLUNK_ARG_4 Name of saved search
• SPLUNK_ARG_5 Trigger reason (for example, "The number of events was greater than 1")
• SPLUNK_ARG_6 Browser URL to view the saved search
• SPLUNK_ARG_8 File in which the results for this search are stored (contains raw results)

the Script that run when the alert is triggered:
!/bin/bash

Script: splunkAlertByTrap.sh

DEST=testnnm
COMM=public
BINDIR=/usr/bin
TRAPOID="1.3.6.1.4.1.27389.1.2"
OID="1.3.6.1.4.1.27389.1.1"

Parameters passed in from the alert.
searchCount=$1 # $1 - Number of events returned
searchTerms=$2 # $2 - Search terms
searchQuery=$3 # $3 - Fully qualified query string
searchName=$4 # $4 - Name of saved search
searchReason=$5 # $5 - Reason saved search triggered
searchURL=$6 # $6 - URL/Permalink of saved search
searchTags=$7 # $7 - Always empty as of 4.1
searchPath=$8 # $8 - Path to raw saved results in Splunk instance (advanced)

$BINDIR/snmptrap -v 1 -c $COMM $DEST "$TRAPOID" $(hostname) 6 1 '' \
"$OID".1 i "$searchCount" \
"$OID".2 s "$searchTerms" \
"$OID".3 s "$searchQuery" \
"$OID".4 s "$searchName" \
"$OID".5 s "$searchReason" \
"$OID".6 s "$searchURL" \
"$OID".7 s "$searchTags" \
"$OID".8 s "$searchPath"

We are getting:

-------./trap.csv:Tue Mar 04 09:22:06 GMT 2014,alertTrap,one-spl-idx02,,,"alertTrap",Registered,Normal,None,,,Status,Node,Symptom,SNMP Trap,,,Tue Mar 04 09:22:06 GMT 2014,Tue Mar 04 09:22:05 GMT 2014,.1.3.6.1.4.1.27389.1.1.1[INTEGER]=1|.1.3.6.1.4.1.27389.1.1.2[OCTET STRING]=getuserdevices :stats count|.1.3.6.1.4.1.27389.1.1.3[OCTET STRING]=getuserdevices :stats count|.1.3.6.1.4.1.27389.1.1.4[OCTET STRING]=getUserDevices-Count|.1.3.6.1.4.1.27389.1.1.5[OCTET STRING]=Saved Search [getUserDevices-Count] number of events(1)|.1.3.6.1.4.1.27389.1.1.6[OCTET STRING]=http://splunk_server:8000/app/search/search?q=%7Cloadjob%20scheduler_ilya_search_RMD530ddc92bfe2f629... STRING]=|.1.3.6.1.4.1.27389.1.1.8[OCTET STRING]=/opt/splunk/var/run/splunk/dispatch/scheduler_ilya_search_RMD530ddc92bfe2f629d_at_1393924920_225/per_result_alert/tmp_0.csv.gz,.1.3.6.1.4.1.27389.1.2.0.1

Thanks,

Ofer

Tags (2)
0 Karma
1 Solution

aaronkorn
Splunk Employee
Splunk Employee

Check out my answer here. It should give you a better idea on how to customize alerts. Alternatively you can modify your search string to return a count and have it execute the alert script.
Your search could be something like this:

index=foo Message=ERROR | eval 1=_time | eval 2=host | eval 3="Assignment Group Name" | eval 4=Message | table 1,2,3,4

http://answers.splunk.com/answers/68372/generate-snmp-trap-from-splunk

View solution in original post

aaronkorn
Splunk Employee
Splunk Employee

Check out my answer here. It should give you a better idea on how to customize alerts. Alternatively you can modify your search string to return a count and have it execute the alert script.
Your search could be something like this:

index=foo Message=ERROR | eval 1=_time | eval 2=host | eval 3="Assignment Group Name" | eval 4=Message | table 1,2,3,4

http://answers.splunk.com/answers/68372/generate-snmp-trap-from-splunk

oferprtz
Path Finder

thanks! works great!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...