SNMP Modular Input Poller
Overview
Details
[snmpif://hostname]
destination = hostname
snmp_version = 3
v3_securityName = username
v3_authKey = password
snmpinterval = 300
interfaces = 1,5,8,9
index = network
# The sourcetype can be whatever you want
sourcetype = snmpif
[ipsla://hostname]
destination = hostname
snmp_version = 3
v3_securityName = username
v3_authKey = password
snmpinterval = 300
operations = 2,7
index = network
sourcetype = ipsla
SnmpMod
Deployment
splunk install app snmpmod.spl -update 1 -auth admin:changeme
cd $SPLUNK_HOME/etc/apps/snmpmod
mkdir local
vim local/inputs.conf
SNMP v3
If you are using SNMP version 3 , you have to obtain the PyCrypto package yourself:
As of Python 2.7.9, pip is included with the release. Run
pip2 install pycrypto
- Windows
- Copy
C:\Python27\Lib\site-packages\Cryptoto$SPLUNK_HOME\etc\apps\snmpmod\bin - Linux
- Copy
/usr/local/lib/python2.7/dist-packages/Cryptoto$SPLUNK_HOME/etc/apps/snmpmod/bin
snmpif Stanza
[snmpif://hostname]
destination = hostname
snmp_version = 3
v3_securityName = username
v3_authKey = password
snmpinterval = 300
interfaces = 1,5,8,9
index = network
# The sourcetype can be whatever you want
sourcetype = snmpif
ipsla Stanza
[ipsla://hostname]
destination = hostname
snmp_version = 3
v3_securityName = username
v3_authKey = password
snmpinterval = 300
operations = 2,7
index = network
sourcetype = ipsla
Response Handlers
destination, host and /etc/hosts
Currently, all response handlers set the Splunk host to the value of destination. If you don't have DNS (bad sysadmin!) add an entry to /etc/hosts. I'd be very happy to take a pull request that will look at a host config option and override destination with that value.
SNMP Interface Search Query
I strongly recommend you create a search macro snmpif_traffic that uses streamstats to calculate the bits per second from the raw snmpif data. My macro is:
stats first(*) as * by _time host ifIndex
| streamstats window=2 global=false current=true range(if*Octets) as delta*, range(_time) as secs by host, ifIndex
| where secs>0
| eval bpsIn=coalesce(deltaHCIn, deltaIn)*8/secs
| eval bpsOut=coalesce(deltaHCOut, deltaOut)*8/secs
| eval mbpsIn=bpsIn/1000000 | eval mbpsOut=bpsOut/1000000
Then to call it and display the results as a graph:
index=snmpif host=foo ifIndex=17 | `snmpif_parse`
| timechart bins=500 avg(mbpsIn) as "Mbps IN", avg(mbpsOut) as "Mbps OUT"
And calculate 95th percentile figures
index=snmpif host=foo ifIndex=17 | `snmpif_parse`
| stats perc95(mbpsIn) as "IN", perc95(mbpsOut) as "OUT"
Summary Collection
The search term shown above is quite expensive. I am running the query above and collecting the data into a new index.
[search index=network sourcetype=snmp_traffic | stats first(_time) as earliest] index=network sourcetype="snmpif"
| stats first(*) as * by _time host ifIndex
| streamstats window=2 global=false current=true range(if*Octets) as delta*, range(_time) as secs by host, ifIndex
| where secs>0
| eval bpsIn=coalesce(deltaHCIn, deltaIn)*8/secs
| eval bpsOut=coalesce(deltaHCOut, deltaOut)*8/secs
| eval mbpsIn=bpsIn/1000000
| eval mbpsOut=bpsOut/1000000
| fields _time host ifIndex bpsIn bpsOut ifAdminStatus ifDescr ifMtu ifOperStatus ifPhysAddress ifSpecific ifSpeed ifType mbpsIn mbpsOut
| collect index=network sourcetype=snmp_traffic
There is a trick there of using the most recent snmp_traffic event to start the next round of collections. I run this search every 30 minutes.
About
This project was originally based on SplunkModularInputsPythonFramework.
I have taken the SNMP modular input, refactored the python code to be more re-usable and added extra stanzas for polling interfaces and ipsla statistics.
Release Notes
Version 2.5.4
v2.5.4
- More changes to error handling
Version 2.5.3
Release Notes
v2.5.3
- Fixes and tweaks to logging
v2.5.2
- Significant improvements to logging
Version 2.5.1
v2.5.1
- Issue #3: Fixed statistics coming through
Version 2.5.0
v2.5.0
- Issue #2: Added
dropBitRatetoqos
v2.4.0
- Added
qossection for querying CB QOS policy rates
v2.3.0
- Added jitter stats packet loss counters to IPSLA
v2.2.1
- Increase transport timeout to 2 seconds
v2.2.0
- Added RTT Sum2 to IPSLA poller
- Added operation response to IPSLA poller
- Added high counter Ucast packets to snmpif
v2.1.2
- Removed RTTSumHigh from IPSLA
v2.1.1
- Renamed IPSLA entry to operation
Version 2.4.0
- Added
qossection for querying CB QOS policy rates
Version 2.3.0
v2.3.0
- Added jitter stats packet loss counters to IPSLA
v2.2.1
- Increase transport timeout to 2 seconds
v2.2.0
- Added RTT Sum2 to IPSLA poller
- Added operation response to IPSLA poller
- Added high counter Ucast packets to snmpif
v2.1.2
- Removed RTTSumHigh from IPSLA
v2.1.1
- Renamed IPSLA entry to operation
Version 2.2.1
Increase transport timeout to 2 seconds
Version 2.2.0
v2.2.0 Changelog
- Added RTT Sum2 to IPSLA poller
- Added operation response to IPSLA poller
- Added high counter Ucast packets to snmpif
Version 2.1.2
Breaking change
Renamed IPSLA entry to operation
Version 2.0.1
Bug fix release
Version 2.0.0
- Added support for polling CISCO IPSLA statistics via [ipsla:// stanza
- Fixed up exception handling
- Tweaked logging