All Apps and Add-ons

Sending SNMP from Splunk to Netcool

lloydknight
Builder

Hello All,

So I've been searching how to send an SNMP to Netcool and I found these information below:

http://docs.splunk.com/Documentation/Splunk/6.3.12/Alert/SendingSNMPtrapstoothersystems
https://splunkbase.splunk.com/app/3596/#/details

We're currently using Splunk 7.0.3 and it seems that the add-on is the only way to get this requirement done.

I'm not very familiar with this kind of integration as I'm used to getting data in to Splunk, not getting data in to external tools using Splunk.

Though the add-on shows the steps in an orderly manner, but I'm still having a hard time following the steps like how my Splunk search should look like in the parameter $result.host$ and $result.splunk_field_name$? Where can I get the OIDs stated on the configuration?

If I were to use the SendingSNMPtrapstoothersystems on the official doc, are there any workarounds to use it on 7.0? If there is, is there a clear method of procedure to do it with simple examples?

Thank you very much for your help!

0 Karma

hgehrts_splunk
Splunk Employee
Splunk Employee

There are several ways to get data out of splunk. Traps could be one option, syslog another or even writing into a Database could be one. Or start a script (alarm Integration) and let it call nco_postmsg... that’s a custom command from Netcool omnibus to send events into the Netcool omnibus console.

So: it depends what you and the Netcool guy prefer.
Talking about the trap Integration: it should still work... if there are issues, you could still create your own script that does snmptrap (net-snmp) into the Netcool Trap Receiver Probe.

0 Karma

lloydknight
Builder

Hello @hgehrts_splunk,
I would like to use the add-on as much as possible to configure the integration faster. Base on the add-on's details, it's using dummy values for the OIDs as an example which I am confused. I found this link which tells me the Splunk Enterprise OID is 27389. The documentation used "1.3.6.1.4.1.27389.1.1". Is this constant or configurable or where can I find this if ever?

From what I understand on SNMP, the one who sends the data is the one who provides the OID.

0 Karma

kkrishnan_splun
Splunk Employee
Splunk Employee

If your splunk search reads
index=_internal | table host
And while configuring the alert, if you enter your host name to be $result.host$, Splunk would configure the trap to take the value of host in the search result to assign it to host name. $result.$ is only to specify how the resulting fields should be specified.

The OID is usually specified by the trap receiver. Per the link you shared, if the OID for Splunk Enterprise is "1.3.6.1.4.1.27389.1.1", for the SNMP Splunk Modular Alert configuration, set the
Enterprise OID to "1.3.6.1.4.1",
Specific OID to "27389" and
Specific Trap ID to 1.

0 Karma

rashi83
Path Finder

Hi there, 

I followed the steps on https://splunkbase.splunk.com/app/3596/#/details

to configure SNMP traps outside system from Splunk.  I have used the Enterprise OID : 

1.3.6.1.4.1.27389 .  We do not see traps on external system . I have following questions :

 

1. Where does this "=== Netcool Configuration File ===" defined on above link go ? What is the path of the file ?

2. I am seeing this error in internal logs : NoSuchObjectError: NoSuchObjectError({'str': "Can't resolve node name ::('1', '3', '6', '1', '4', '1', '27389', '(blank)') at <pysnmp.smi.view.MibViewController instance at 0x000000DD527EE748>"})

 

This is matter of urgency , please respond . 

@kkrishnan_splun 

 

0 Karma

kkrishnan_splun
Splunk Employee
Splunk Employee

Hello Rashi,

Please find my answers below :

  1. This is not a configuration file. It is just information text to show the mapping within the code to what can be seen on the Netcool end.
  2. It looks like after 27389, there is a space which python code is unable to resolve. Could you please remove this and try again ?
0 Karma

rashi83
Path Finder

Hi Karthika,

Thanks for getting back - there is no space after 27389 . I added few more numbers to it like this "1.3.6.1.4.1.27389.1.2" and still seeing same error . 

2020-08-03 16:30:02,884 ERROR Execution failed: Traceback (most recent call last):
File "C:\Program Files\Splunk\etc\apps\netcool_custom_modular_alert\bin\modular_alert.py", line 542, in execute
return self.run(cleaned_params, payload)
File "C:\Program Files\Splunk\etc\apps\netcool_custom_modular_alert\bin\netcool_custom_modular_alert.py", line 85, in run
(str(enterpriseSNMP_SpecificObjectID)+'.8', rfc1902.OctetString(str(splunksearch)))
File "C:\Program Files\Splunk\etc\apps\netcool_custom_modular_alert\bin\pysnmp\entity\rfc3413\oneliner\ntforg.py", line 173, in sendNotification
**kwargs):
File "C:\Program Files\Splunk\etc\apps\netcool_custom_modular_alert\bin\pysnmp\hlapi\asyncore\sync\ntforg.py", line 114, in sendNotification
lookupMib=options.get('lookupMib', True))
File "C:\Program Files\Splunk\etc\apps\netcool_custom_modular_alert\bin\pysnmp\hlapi\asyncore\ntforg.py", line 145, in sendNotification
vbProcessor.makeVarBinds(snmpEngine, varBinds),
File "C:\Program Files\Splunk\etc\apps\netcool_custom_modular_alert\bin\pysnmp\hlapi\varbinds.py", line 51, in makeVarBinds
varBinds.resolveWithMib(mibViewController)
File "C:\Program Files\Splunk\etc\apps\netcool_custom_modular_alert\bin\pysnmp\smi\rfc1902.py", line 1130, in resolveWithMib
self.__objectIdentity.resolveWithMib(mibViewController)
File "C:\Program Files\Splunk\etc\apps\netcool_custom_modular_alert\bin\pysnmp\smi\rfc1902.py", line 399, in resolveWithMib
tuple(self.__args[0].split('.'))
File "C:\Program Files\Splunk\etc\apps\netcool_custom_modular_alert\bin\pysnmp\smi\view.py", line 210, in getNodeNameByOid
(modName, nodeName, self)
NoSuchObjectError: NoSuchObjectError({'str': "Can't resolve node name ::('1', '3', '6', '1', '4', '1', '27389', '1', '2', '(blank)') at <pysnmp.smi.view.MibViewController instance at 0x0000001E4D9C9748>"})

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...