splunk install app snmpmod.spl -update 1 -auth admin:changeme
cd $SPLUNK_HOME/etc/apps/snmpmod
mkdir local
vim local/inputs.conf
If you are using SNMP version 3 , you have to obtain the PyCrypto package yourself:
As of Python 2.7.9, pip is included with the release. Run
pip2 install pycrypto
C:\Python27\Lib\site-packages\Crypto
to $SPLUNK_HOME\etc\apps\snmpmod\bin
/usr/local/lib/python2.7/dist-packages/Crypto
to $SPLUNK_HOME/etc/apps/snmpmod/bin
[snmpif://hostname]
destination = hostname
snmp_version = 3
v3_securityName = username
v3_authKey = password
snmpinterval = 300
interfaces = 1,5,8,9
index = network
# The sourcetype can be whatever you want
sourcetype = snmpif
[ipsla://hostname]
destination = hostname
snmp_version = 3
v3_securityName = username
v3_authKey = password
snmpinterval = 300
operations = 2,7
index = network
sourcetype = ipsla
Currently, all response handlers set the Splunk host to the value of destination. If you don't have DNS (bad sysadmin!) add an entry to /etc/hosts. I'd be very happy to take a pull request that will look at a host
config option and override destination
with that value.
I strongly recommend you create a search macro snmpif_traffic
that uses streamstats
to calculate the bits per second from the raw snmpif
data. My macro is:
stats first(*) as * by _time host ifIndex
| streamstats window=2 global=false current=true range(if*Octets) as delta*, range(_time) as secs by host, ifIndex
| where secs>0
| eval bpsIn=coalesce(deltaHCIn, deltaIn)*8/secs
| eval bpsOut=coalesce(deltaHCOut, deltaOut)*8/secs
| eval mbpsIn=bpsIn/1000000 | eval mbpsOut=bpsOut/1000000
Then to call it and display the results as a graph:
index=snmpif host=foo ifIndex=17 | `snmpif_parse`
| timechart bins=500 avg(mbpsIn) as "Mbps IN", avg(mbpsOut) as "Mbps OUT"
And calculate 95th percentile figures
index=snmpif host=foo ifIndex=17 | `snmpif_parse`
| stats perc95(mbpsIn) as "IN", perc95(mbpsOut) as "OUT"
The search term shown above is quite expensive. I am running the query above and collecting the data into a new index.
[search index=network sourcetype=snmp_traffic | stats first(_time) as earliest] index=network sourcetype="snmpif"
| stats first(*) as * by _time host ifIndex
| streamstats window=2 global=false current=true range(if*Octets) as delta*, range(_time) as secs by host, ifIndex
| where secs>0
| eval bpsIn=coalesce(deltaHCIn, deltaIn)*8/secs
| eval bpsOut=coalesce(deltaHCOut, deltaOut)*8/secs
| eval mbpsIn=bpsIn/1000000
| eval mbpsOut=bpsOut/1000000
| fields _time host ifIndex bpsIn bpsOut ifAdminStatus ifDescr ifMtu ifOperStatus ifPhysAddress ifSpecific ifSpeed ifType mbpsIn mbpsOut
| collect index=network sourcetype=snmp_traffic
There is a trick there of using the most recent snmp_traffic event to start the next round of collections. I run this search every 30 minutes.
This project was originally based on SplunkModularInputsPythonFramework.
I have taken the SNMP modular input, refactored the python code to be more re-usable and added extra stanzas for polling interfaces and ipsla statistics.
## v2.5.4
* More changes to error handling
# Release Notes
## v2.5.3
* Fixes and tweaks to logging
## v2.5.2
* Significant improvements to logging
## v2.5.1
* [Issue #3](https://github.com/oxo42/snmpmod/issues/3): Fixed statistics coming through
## v2.5.0
* [Issue #2](https://github.com/oxo42/snmpmod/issues/2): Added `dropBitRate` to `qos`
## v2.4.0
* Added `qos` section for querying CB QOS policy rates
## v2.3.0
* Added jitter stats packet loss counters to IPSLA
## v2.2.1
* Increase transport timeout to 2 seconds
## v2.2.0
* Added RTT Sum2 to IPSLA poller
* Added operation response to IPSLA poller
* Added high counter Ucast packets to snmpif
## v2.1.2
* Removed RTTSumHigh from IPSLA
## v2.1.1
* Renamed IPSLA entry to operation
* Added `qos` section for querying CB QOS policy rates
## v2.3.0
* Added jitter stats packet loss counters to IPSLA
## v2.2.1
* Increase transport timeout to 2 seconds
## v2.2.0
* Added RTT Sum2 to IPSLA poller
* Added operation response to IPSLA poller
* Added high counter Ucast packets to snmpif
## v2.1.2
* Removed RTTSumHigh from IPSLA
## v2.1.1
* Renamed IPSLA entry to operation
Increase transport timeout to 2 seconds
## v2.2.0 Changelog
* Added RTT Sum2 to IPSLA poller
* Added operation response to IPSLA poller
* Added high counter Ucast packets to snmpif
# Breaking change
Renamed IPSLA entry to operation
Bug fix release
* Added support for polling CISCO IPSLA statistics via [ipsla:// stanza
* Fixed up exception handling
* Tweaked logging
Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.