Getting Data In

Splunk Alerts / SNMP

DTERM
Contributor

I've setup a search, and configured Splunk to run a Perl script generating an SNMP message to another system when the script is run. The code for the Perl script follows:

#!/usr/bin/perl
#
$hostPortSNMP = "10.176.156.206:162"; 
# Host:Port of snmpd or other SNMP trap handler
$snmpTrapCmd = "/usr/bin/snmptrap"; 
# Path to snmptrap, from http://www.net-snmp.org
$TRAPOID = "1.3.6.1.4.1.27389.1.2"; 
# Object IDentifier for traps/notifications 
$OID = "1.3.6.1.4.1.27389.1.1";
# Object IDentifier for objects, Splunk Enterprise OID is 27389

$searchCount = $ARGV[0]; # $1 - Number of events returned
$searchTerms = $ARGV[1]; # $2 - Search terms
$searchQuery = $ARGV[2]; # $3 - Fully qualified query string

$searchName = $ARGV[3]; # $4 - Name of saved search
$searchReason = $ARGV[4]; # $5 - Reason saved search triggered
$searchURL = $ARGV[5]; # $6 - URL/Permalink of saved search

$searchTags = $ARGV[6]; # $7 - Always empty as of 4.1
$searchPath = $ARGV[7]; # $8 - Path to raw saved results in Splunk instance (advanced)
$cmd = qq/$snmpTrapCmd -v 2c -c public $hostPortSNMP '' $TRAPOID 

$OID.1 i $searchCount $OID.2 s "$searchTerms" $OID.3 s "$searchQuery" $OID.4 s 
"$searchName" $OID.5 s "$searchReason" $OID.6 s "$searchURL" $OID.7 s 
"$searchTags" $OID.8 s "$searchPath"/;
 system($cmd);

When I run the script at the command line I get the following error:

[root@splunk scripts]# ./sendsnmptrap-a.pl
sh: line 1: 1.3.6.1.4.1.27389.1.1.1: command not found
sh: line 2: : command not found
sh: line 3: : command not found

I doubt this is the accurate result. What is wrong with the script? Does it require parameters that I'm missing?

Thanks in advance!

Tags (1)
1 Solution

DTERM
Contributor

The three lines at the bottom needed to be combined. The semi colon gave it away. Perl ends every line with a ; character. Now the Perl part is fixed, however I don't believe it is generating the expected SNMP output.

[root@splunk scripts]# ./sendsnmptrap.pl

10.176.156.206:1621.3.6.1.4.1.27389.1.1.1: Bad value name (1.3.6.1.4.1.27389.1.1.2)

View solution in original post

jrprez1804
Path Finder

Hi,

Will this script let us see which version of SNMP is running?

0 Karma

g2ugzm
New Member

You may want to ensure that there are no embedded double quotes in the passed arguments from the splunk alert. The searchQuery for instance may include an exact phrase to search which needs to be quoted.
A little loop before the variables are set works for double quotes:
foreach $entry ( @ARGV ) {
$entry =~ s/\"/\\"/g;
}

I started sending traps after this update.,

0 Karma

jan_wohlers
Path Finder

Hi,

did you find the problem? I have the same problem on my machine 😞

Can't fix the Bad value Name error.

Br Jan

0 Karma

DTERM
Contributor

The three lines at the bottom needed to be combined. The semi colon gave it away. Perl ends every line with a ; character. Now the Perl part is fixed, however I don't believe it is generating the expected SNMP output.

[root@splunk scripts]# ./sendsnmptrap.pl

10.176.156.206:1621.3.6.1.4.1.27389.1.1.1: Bad value name (1.3.6.1.4.1.27389.1.1.2)

Drainy
Champion

While you might get some perly type people pop on and be able to offer some help this is a very specific perl related problem.

You will likely get a very quick answer if you post this on http://stackoverflow.com/ as they are a site designed for questions just like this.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...