I am trying to send SNMP traps from Cisco wireless controllers to our universal forwarder which has net-snmp installed. While I have it working and data is getting to the indexer, I have a few problems listed below. Note that I cannot send traps directly to splunk. All data needs to hit the UF first.
**SNMP output is not clean**
With the STRING, INTEGER, and other random output between the key values, it's causing Splunk to incorrectly parse them. A hacky way would be for me to use SEDCMD to remove this data in props.conf but it is not working. My assumption is SEDCMD does not work on a Windows indexer but I've been told it should. Is there a better way with net-snmp to prevent this?
2019-12-27 10:14:28 Agent_Address = 0.0.0.0
Agent_Hostname = UDP: [10.20.20.10]:44369->[10.20.20.200]:162
PDU_Attribute_Value_Pair_Array:
sysUpTimeInstance = Timeticks: (1440866000) 166 days, 18:24:20.00
snmpTrapOID.0 = OID: bsnDot11StationAssociate
bsnStationAPMacAddr.0 = STRING: 5c:83:8f:79:6d:40
bsnStationAPIfSlotId.0 = INTEGER: 1
bsnUserIpAddress.0 = IpAddress: 10.20.196.141
bsnStationUserName.0 = STRING: limguest
bsnStationMacAddress.0 = STRING: 78:7e:61:d1:d0:f8
bsnAPName.0 = STRING: "uslcoAP2302"
---
**Breaker lines not working**
I am having multiple events appear under a single event in Splunk.
props.conf
[snmptrapd]
DATETIME_CONFIG =
KV_MODE = none
LINE_BREAKER = ([\r\n]+)Agent_Address\s=
MAX_TIMESTAMP_LOOKAHEAD = 60
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
TIME_FORMAT = %Y-%m-%d %H:%M:%S
TIME_PREFIX = Date\s=\s
TZ = UTC
category = Custom
description = parse snmptrapd logging with custom kvpair splunk formatting
disabled = false
pulldown_type = true
EXTRACT-node = ^[^\[\n]*\[(?P[^\]]+)
REPORT-snmptrapd = snmptrapd_kv
↧