Alerting

Is there already a SNMP MIB for Splunk that sends Splunk alerts to an external console?

gcusello
SplunkTrust
SplunkTrust

Hi at all,
I found the script to send Splunk alerts to an external console (e.g.: IBM Netcool) using SNMP, but does anyone know if there already is a SNMP Splunk MIB to do this?
Usually MIB is defined by the hardware or software supplier!
Thank you.
Bye.
Giuseppe

0 Karma
1 Solution

TStrauch
Communicator

Hi Giuseppe,

i found this in the Splunk Wiki. Hope this helps.

http://wiki.splunk.com/Community:Splunk_Alert_MIB

kind regards

View solution in original post

soumyasaha25
Contributor

The way i did it in one of my integrations was to send SNMP traps to an external console (eg Netcool) via a python script.
So whenever an alert was triggered in Splunk alert action would execute the python script to send the snmp traps. Can you also share how you achieved the integration.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi soumyasaha25,
We realizad a connector that modify Splunk behaviour, because Splunk alert gives 8 parameters:

  • "Number of events returned by the saved search" "Search terms"
  • "Fully qualified search query string"
  • "Name of the saved search"
  • "Reason for saved search to trigger alert"
  • "URL to saved search"
  • "Tags belonging to the saved search, optional"
  • "Path on the Splunk Server to a file containing search results"

but I really need messages contained in the 8th parameter.

So we created a script that runs when alert is triggered and it perform the following actions:

  • it take the 8th parameter from the alert,
  • it untar file containing alert message from the above path,
  • it copy message in the alert's 8th parameter of the Splunk MIB,
  • it send message using Splunk MIB.

In this way the receive can receive the alert message in the Splunk MIB.

Bye.
Giuseppe

0 Karma

rashi83
Path Finder

@gcusello  : One question - thanks for explaining the integration method. One question , where did you put the MIB on - Splunk machine or the external device where Splunk alerts will be trapped ?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @rashi83,

the scrips must be on the Search Heads, wher you run the alerts because it's and action of the alert:

  • the external device send its logs to Splunk,
  • Splunk monitor logs running the alert with the defined frequency,
  • Splunk fires the alert where it finds the conditions and run the script that prepare the message and send it to NetCool ot the other destination.

Ciao.

Giuseppe

0 Karma

TStrauch
Communicator

Hi Giuseppe,

i found this in the Splunk Wiki. Hope this helps.

http://wiki.splunk.com/Community:Splunk_Alert_MIB

kind regards

gcusello
SplunkTrust
SplunkTrust

Thank you.
Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...