All Apps and Add-ons

where to validate if the SNMP_Ta was successfully getting data from SNMP agent

teddyidc1101
Communicator

we installed snmp_ta in our forwarders and based on DS, 100%deployed.

these are the steps we did.
1. created inputs.conf file to defined the following destination, mib_names, object_names
2. used DS (used reload command) to deploy to a single server

we wanted to check on how to validate the config (aside from running search), since it is not getting the data in the indexer.

0 Karma
1 Solution

koshyk
Super Champion

SNMP modular input app is great one, but is used for making polling compatible with Splunk's conf specs.

So Ensure
1. You put your SNMP_TA in a heavyforwarder/Forwarder-with-python installed. Only on ONE forwarder otherwise you will get duplicate data. This is for COLLECTION purpose
2. You need to create an index with your organisation standards (eg idx_mycompany_snmp )
3. Create inputs.conf with snmp pulling details either in an app of yourself or within "local" directory of SNMP-modular-app and put the settings something like below...

[snmpif://hostname]
destination = hostname
snmp_version = 3
v3_securityName = username
v3_authKey = password
snmpinterval = 300
interfaces = 1,5,8,9
index = idx_mycompany_snmp 
# The sourcetype can be whatever you want
sourcetype = snmpif

Then Search within that index

View solution in original post

koshyk
Super Champion

SNMP modular input app is great one, but is used for making polling compatible with Splunk's conf specs.

So Ensure
1. You put your SNMP_TA in a heavyforwarder/Forwarder-with-python installed. Only on ONE forwarder otherwise you will get duplicate data. This is for COLLECTION purpose
2. You need to create an index with your organisation standards (eg idx_mycompany_snmp )
3. Create inputs.conf with snmp pulling details either in an app of yourself or within "local" directory of SNMP-modular-app and put the settings something like below...

[snmpif://hostname]
destination = hostname
snmp_version = 3
v3_securityName = username
v3_authKey = password
snmpinterval = 300
interfaces = 1,5,8,9
index = idx_mycompany_snmp 
# The sourcetype can be whatever you want
sourcetype = snmpif

Then Search within that index

teddyidc1101
Communicator

thanks on those points...few questions again:
1. this means that we would only install the inputs.conf with the stanzas for all the IP/hostname/ server that it needs to poll to only one server?
2. given the settings below, can you verify if we did it correctly?
[snmp://proc_site]
communitystring = public
destination = IP1 --> server IP
do_bulk_get = 0
do_get_subtree = 0
index = idx
ipv6 = 0
mib_names = MIB_NAME1, MIB_NAME1, MIB_NAME1 --> custom mibs saved in /snmp_ta/bin/mibs; does this have to include the extension names? is it ok to have this outside the .egg??
object_names = {600 OIDs defined} --> is this ok or we need to break it down??
port = 161
snmp_mode = attributes
snmp_version = 2C
sourcetype = sourcetype1
split_bulk_output = 0
v3_authProtocol = usmHMACMD5AuthProtocol
v3_privProtocol = usmDESPrivProtocol

  1. we are getting the errors below in _internal, does it mean that Python is not running in the forwarder?

0400 ERROR ExecProcessor - message from "python /opt/splunkforwarder/etc/apps/snmp_ta/bin/snmp.py" pysnmp.smi.error.SmiError: MIB file ".py[co]" not found in search path
0400 ERROR ExecProcessor - message from "python /opt/splunkforwarder/etc/apps/snmp_ta/bin/snmp.py" File "/opt/splunkforwarder/etc/apps/snmp_ta/bin/pysnmp-4.2.5-py2.7.egg/pysnmp/smi/builder.py", line 270, in loadModules
0400 ERROR ExecProcessor - message from "python /opt/splunkforwarder/etc/apps/snmp_ta/bin/snmp.py" mibBuilder.loadModules(*mib_names_args)

0 Karma

koshyk
Super Champion
  1. correct. YOu can create any number of such entries in the inputs.conf each in separate stanza
  2. The error it seems app is looking from bundled python. Are you using Universal Forwarder? UF doesn't have python bundled and may not work. Try installing in HF or Normal splunk or may need to find a way to use separate python installation.
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...