Hi there, I couldn't find a simple info about "where" deploy SNMP Modular Input App for network monitoring SNMP host with splunk: do I need to install the App both on Search Head and also on Indexer? Actually I have some Indexer and a Search Head quering on these. Wich components on Indexer and Search Head ? ("SNMP Modular Input", "pyCrypto")
Thanks in advance
In a distributed architecture I recommend installing the app (all components untarred to etc/apps) on a Forwarder.
It looks like 1.1 = iso
I think you may want to look at this:
If we look at the OBJECT ciscoCircuitInterfaceGroup
.1.3.6.1.4.1.9.9.160.3.2.1
ciscoCircuitInterfaceGroup OBJECT-TYPE
-- FROM CISCO-CIRCUIT-INTERFACE-MIB
DESCRIPTION "The Cisco Circuit Interface MIB objects."
::= { iso(1) org(3) dod(6) internet(1) private(4) enterprises(1) cisco(9) ciscoMgmt(9) ciscoCircuitInterfaceMIB(160) ciscoCircuitInterfaceMIBConformance(3) ciscoCircuitInterfaceMIBGroups(2) 1 }
You can see how the "1.3.6.1.4.1.9.9.160.3.2.1" is the numeric value.
So, walking the tree back some more....
.1.3.6.1.4.1.9.9.160
ciscoCircuitInterfaceMIB OBJECT-TYPE
-- FROM CISCO-CIRCUIT-INTERFACE-MIB
DESCRIPTION "The MIB module to configure the circuit description
for an interface.
The circuit description can be used to describe and
identify circuits on interfaces like ATM,
frame-relay etc."
::= { iso(1) org(3) dod(6) internet(1) private(4) enterprises(1) cisco(9) ciscoMgmt(9) 160 }
It starts to make more sense as you work in it, but it takes some time.
This is a handy tool:
https://www.marcuscom.com/snmptrans/
Now, reading the data back in.....
I think you will have to build some regex and lookups, unless someone has a better method.
Thanks Damien, I realized the same, because this App has no GUI! I will install it on a Indexer for a simple test to get SNMP OID data in for a simple test. Then I will use an Intermediate Forwarder on site. In this case I suppose the App it is needed only on the Imtermediate Forwarder. It is true?
Yes , that is correct.
Hello,
We have installed the app on a heavy forwarder. configured the input Object Name field with 1.1
Now, we are receiving data in from the poll, but we can't tell what it all really means.... should it convert to a more readable format?
In a distributed architecture I recommend installing the app (all components untarred to etc/apps) on a Forwarder.