By Damien Dallimore and Scott Spencer
This is a Splunk modular input add-on for polling SNMP attributes and catching traps.
If you are using SNMP version 3 , you have to obtain, build and add the pycrypto package yourself :
https://pypi.python.org/pypi/pycrypto
The simplest way is to build pycrypto and drop the "Crypto" directory in $SPLUNK_HOME/etc/apps/snmp_ta/bin.
I don't recommend installing the pycrypto package to the Splunk Python runtime's site-packages, this could have unforeseen side effects.
I do not bundle the pycrypto module with the core release , because :
So , here are a few instructions for building and installing pycrypto yourself :
Download the pycrypto package from https://pypi.python.org/pypi/pycrypto
Then run these 3 commands (note : you will need to use a System python 2.7 runtime , not the Splunk python runtime)
python setup.py build
python setup.py install
python setup.py test
3) browse to where the Crypto module was installed to ie: /usr/local/lib/python2.7/dist-packages/Crypto
4) Copy the "Crypto" directory to $SPLUNK_HOME/etc/apps/snmp_ta/bin
The pysnmp library is used under the hood so you need to convert your plain text MIB files
into python modules :
Many industry standard MIBs ship with the Modular Input.
You can see which MIBs are available by looking in SPLUNK_HOME/etc/apps/snmp_ta/bin/mibs/pysnmp_mibs-0.1.4-py2.7.egg
Any additional custom MIBs need to be converted into Python Modules.
You can simply do this by using the build-pysnmp-mib tool that is part of the pysnmp installation
build-pysnmp-mib -o SOME-CUSTOM-MIB.py SOME-CUSTOM-MIB.mib
build-pysnmp-mib is just a wrapper around smidump.
So alternatively you can also execute :
smidump -f python MYMIB.mib | libsmi2pysnmp > MYMIB.py
Then you can either copy the generated python files to SPLUNK_HOME/etc/apps/snmp_ta/bin/mibs or build a Python "egg" of
the generated python files(maybe tidier if you have many python files) and copy the egg to that same location.
In the configuration screen for the SNMP input in Splunk Manager , there is a field called “MIB Names” (see above).
Here you can specify the MIB names you want applied to the SNMP input definition ie: IF-MIB,DNS-SERVER-MIB,BRIDGE-MIB
The MIB Name is the same as the name of the MIB python module in your egg package.
You can provide your own custom Response Handler. This is a Python class that you should add to the
rest_ta/bin/responsehandlers.py module.
You can then declare this class name and any parameters in the SNMP Modular Input setup page.
For the most part the Default Response Handler should suffice.
But there may be situations where you want to format the response in a manner that is more convenient for handling your data ie: CSV or JSON.
Furthermore , you can also use a custom Response Handler implementation to perform preprocessing of your raw response data before sending
it to Splunk.
Any modular input log errors will get written to $SPLUNK_HOME/var/log/splunk/splunkd.log
Merged in community Pull requests.
Add a new option to get subtree
Add a new option to perform rDNS for trap source
Fix to resolve missing server extractions on the SNMPv3 trap receiver
In the destination field for polling attributes , you can now optionally specify a comma delimited list of hosts
Fixed Bug in UI that prevented declaring custom MIB Names when in listen traps mode
Fixed host field extraction for receiving v2 traps
Minor code tweaks
Updated the Manager UI to be simpler and more intuitive
Minor Cosmetic fixes
SNMP v3 support , please follow the docs regarding pycrypto dependencies
pysnmp library update to 4.2.5
Support for plugging in custom response handlers that can format the raw SNMP data in a particular format or perform preprocessing on the raw SNMP data before indexing in Splunk. Has a default response handler which produces the same output as previous versions.Also ships with an example JSONFormatterResponseHandler.
Robustified exception handling
More detailed logging
Added more lenient exception handling code so that the trap listener won't terminate when it can't resolve an OID , and will instead just index the raw OID and print the error message to splunkd.log
For custom MIBS , added the ability to drop plain python(.py) files into the bin/mibs directory , no need to egg them up
Tweaked the Manager UI list view
Got MIB resolution working properly for traps and attribute polling , added a config field so you can declare any MIB names you want applied, any custom MIBs still need to be converted into Python modules first(see the docs) ++ Added a config option to split out "get bulk" results into individually indexed events ++ changed the setup screen layout to be better organised
Renamed the manager xml file to avoid naming clashes
Some minor script tweaks around custom MIB loading
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.