Ingest SNMP Data Into Splunk

I recently had to configure Cisco SNMP data into Splunk, so thought this might help, on how I did it. I was lucky enough to come across this very good Splunk article on SNMP data into ITSI – so a Big up to Liz Snyder  I used info in here and made some adjustments for my environment which gave me a good head start, why re-invent the wheel, just pimp it up or Splunk it UP!!

My changes were to change the host name so it comes from the device, add some CIM mapping, and send the header data on restart to null.

My environment:

Linux Centos 8 / Splunk 8.5

Step 1 Install and Configure SNMP

sudo yum install net-snmp net-snmp-utils
sudo systemctl enable snmpd
sudo systemctl enable snmptrapd

sudo systemctl start snmpd
sudo systemctl status snmpd -l
sudo snmpwalk -v 2c -c public -O e

Step 2 Make snmp log file

mkdir /snmp
cd /snmp
sudo touch  ./traps.log
sudo setfacl  -R -m u:splunk:rx /snmp/traps.log

Step 3 Config SNMPD conf

This will load the snmpd config and all the MIBS and point to the log file called traps.log

vi /etc/sysconfig/snmptrap

OPTIONS=”-c /etc/snmp/snmptrapd.conf -A -n -Lf /snmp/traps.log -OQ -m +ALL –disableAuthorization=yes -p /var/run/”

Step 4 Config SNMTRAPD conf

This formats the SNMP data

vi /etc/snmp/snmptrapd.conf

# snmptrapd formatting

# _from_3rd_party_Vendors


format1 Agent_Address = %A\nAgent_Hostname = %B\nDate = %y-%02.2m-%02.2l %02.2h:%02.2j:%02.2k\nEnterprise_OID = %N \nTrap_Type = %w\nTrap_SubType =%q\nCommunity_Infosec_Context = %P\nUptime = %T\nDescription =%W\nPDU_Attribute_Value_Pair_Array:\n%V\n%v\n—\n


format2 Agent_Address = %A\nAgent_Hostname = %B\nDate = %y-%02.2m-%02.2l %02.2h:%02.2j:%02.2k\nEnterprise_OID = %N\nTrap_Type = %w\nTrap_SubType = %q\nCommunity_Infosec_Context = %P\nUptime = %T\nDescription = %W\nPDU_Attribute_Value_Pair_Array:\n%V\n%v\n—\n

Step 5  Check and enable SNMP Services

sudo systemctl restart snmptrapd
sudo  systemctl status -l snmptrapd
sudo systemctl enable snmpd
sudo systemctl enable snmptrapd

Step 6 Check MIBS

Check /usr/share/snmp/mibs this should have a load of mibs, should add any new ones into this folder from the Ciscos Web site

Step 7 Send some test traps

sudo snmptrap -v 2c -c public localhost ” i 123456
sudo snmptrap -v2c -c public localhost 1 1

sudo tail -f /snmp/traps.log

You should see data, as the formatting is Key value pairs, this will get parsed easily


Step 8 Create Inputs / Props / Transforms conf


disabled = false
index = snmptrapd
sourcetype = network:snmptrapd


KV_MODE = auto
LINE_BREAKER = ([\r\n]+)Agent_Address\s=
TIME_FORMAT = %Y-%m-%d %H:%M:%S
TIME_PREFIX = Date\s=\s
disabled = false
pulldown_type = true
TRANSFORMS-null = setnull

#Change host name
TRANSFORMS-hostname = snmpdevice

#Add Report Extract for Delims
REPORT-snmpfields = kv_snmp

#Added For CIM Mapping
#Extract CIM Fields
EXTRACT-CIM-fields = Agent_Hostname\s=\s(?P<protocol>.+):.*\[(?P<src_ip>.+)\]:(?P<src_port>.+)->\[(?P<dest_ip>.+)\]:(?P<dest_port>.+)$
FIELDALIAS-dvc = src_ip AS dvc

#This sends unwanted data to null
REGEX = ^(NET.*)
DEST_KEY = queue
FORMAT = nullQueue

#This changes the host name
REGEX = Agent_Address\s=\s(?P<snmpdvc>.+)
FORMAT = host::$1
DEST_KEY = MetaData:Host

#adds delimiters to extracted fields
DELIMS = “\n,” =”

Step 9 Generate more SNMP tests and you should see the trap in your snmptrapd index


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s