Making SNMP Simpler


From Wikipedia :

Simple Network Management Protocol (SNMP) is an “Internet-standard protocol for managing devices on IP networks”. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more.

SNMP exposes management data in the form of variables on the managed systems.

The variables accessible via SNMP are organized in hierarchies. These hierarchies, and other metadata (such as type and description of the variable), are described by Management Information Bases (MIBs).

MIBs describe the structure of the management data of a device subsystem; they use a hierarchical namespace containing object identifiers (OID). Each OID identifies a variable that can be read or set via SNMP. MIBs use the notation defined by ASN.1.

SNMP agents can also send notifications , called Traps , to an SNMP trap listening daemon.

Splunking SNMP Data

SNMP represents an incredibly rich source of data that you can get into Splunk for visibility across a very diverse IT landscape.

For as long as I have been involved with Splunk , one of the most recurring requests on Splunkbase answers and in conversations has been ” how do I get my SNMP data into Splunk ? “.

And whilst there has always been a way , it has involved cobbling together a few different steps.

For polling SNMP variables this has typically involved writing a custom scripted input utilizing an existing program or library under the hood , such as snmpget or pysnmp.

And for capturing SNMP traps the approach has been to run a trap daemon such as snmptrapd on your Splunk server to capture the trap, dump it to a file and have Splunk monitor the file.

I think there is a much simpler way , a way that is more natively integrated into Splunk by implementing SNMP data collection in a Splunk Modular Input.

So myself and my colleague Scott Spencer set about doing just that.

SNMP Modular Input

The SNMP Modular Input allows you to configure your connections to your SNMP devices , poll attribute values and capture traps. It has no external dependencies , all of the functionality is built into the Modular Input and it will run on all supported Splunk platforms.

Features overview

  • Simple UI based configuration via Splunk Manager
  • Capture SNMP traps (Splunk becomes a SNMP trap daemon in its own right)
  • Poll SNMP object attributes
  • Declare objects to poll in textual or numeric format
  • Ships with a wide selection of standard industry MIBs
  • Add in your own Custom MIBs
  • Walk object trees using GET BULK
  • Optionally index bulk results as individual events in Splunk
  • Monitor 1 or more Objects per stanza
  • Create as many SNMP input stanzas as you require
  • IPv4 and IPv6 support
  • Indexes SNMP events in key=value semantic format
  • Ships with some additional custom field extractions

SNMP version support

SNMP V1 & V2c support are currently implemented. SNMP V3 is in the pipeline. So you don’t need to email me requesting this :)


The Modular Input is implemented in Python and under the hood  pysnmp is used as the library upon which the Modular Input is written.

Getting started

Browse to Splunkbase and download the SNMP Modular Input

To install , you simply just untar it to SPLUNK_HOME/etc/apps and restart Splunk.


Login to SplunkWeb and browse to Manager->Data Inputs->SNMP->New and setup your input stanza

View the SNMP inputs you have setup


You can then search over the SNMP data that gets indexed. In the example below, in addition to the SNMPv2-MIB,  I have also loaded in the Interface MIB (IF-MIB) to resolve the IF-MID OID names and values to their textual representation.

A note about MIBs

Many industry standard MIBs ship with the Modular Input.
You can see which MIBs are available by looking in SPLUNK_HOME/etc/apps/snmp_ta/bin/mibs/pysnmp_mibs-0.1.4-py2.7.egg

Any additional custom MIBs need to be converted into Python Modules.

You can simply do this by using the build-pysnmp-mib tool that is part of the pysnmp installation

build-pysnmp-mib -o SOME-CUSTOM-MIB.mib

build-pysnmp-mib is just a wrapper around smidump.

So alternatively you can also execute :

smidump  -f  python <mib-text-file.txt> | libsmi2pysnmp > <>

Then “egg” up your python MIB modules and place them in SPLUNK_HOME/etc/apps/snmp_ta/bin/mibs

In the configuration screen for the SNMP input in Splunk Manager , there is a field called “MIB Names” (see above).
Here you can specify the MIB names you want applied to the SNMP input definition ie: IF-MIB,DNS-SERVER-MIB,BRIDGE-MIB
The MIB Name is the same as the name of the MIB python module in your egg package.

This is all just an interim measure until pysnmp supports plain text MIB files, a development feature in the pipeline for pysnmp.
When that feature is ready , all you will have to do is drop the plain text MIB in the SPLUNK_HOME/etc/apps/snmp_ta/bin/mibs and the  SNMP Modular Input will do the rest. Watch this space !

What’s next

Now it’s your turn…go and download the Modular Input, plug it in and Splunk some SNMP data . I’d love to hear your feedback about any way to make it better and even simpler.And as mentioned , SNMP Version 3 support is coming.


We would like to use SNMP modular Input to monitor our network glitches. Splunk is running with different service account in a *nix machine. Do we need to have “root” access to monitor SNMP traps?


October 20, 2014

Only if you want to listen on a privileged port < 1024. Else , use a higher port.

October 20, 2014

I do not see this as an option, we have splunk installed on Windows. So is this only for Linux?

November 2, 2014

“..I do not see this as an option..” , can you elaborate ? Are you referring to where you set the Trap listener port ? If so, it is on the SNMP setup screen. When you select “Listen for Traps” mode , you will see a field called “Trap Listener Port” in the “SNMP Trap Listener Settings” section.

November 2, 2014

On your example above you have sourcetype as snmpta, I cannot see this in my list. How do I select this. or what kind of source can I use?

November 7, 2014

On the setup screen for your SNMP stanza , under “sourcetype” , once you select manual, you will see this text…”If this field is left blank, the default value of snmp_ta will be used for the source type.”

November 10, 2014

Hey; I want you to consider a scenario. I have SNMP manager and a master agent. My devices are communicating with agent and then agent is sending traps about those devices to Manager, I want to write a single MIB for every device as each device has same parameters to monitor. Since traps going to Manager are from single agent, How would I differentiate that this trap belongs to which device? Or do I have to write different MIB for each device.

Usman Fazil
January 16, 2015

Do your MIBS have any attributes that would uniquely identify the device ? ie: some id , hostname , ip address ?

If so , this unique field that would be in the trap , would be indexed in Splunk , and you could then search over data in Splunk on a per device basis.

January 20, 2015

Is there a way to import multiple devices automatically? For instance if i have 100+ devices of the same “type” is there a way to “seed” the app? Or it all must be done throughout the GUI?

Volodymyr Polishchuk
February 10, 2015

You don’t have to use the GUI to setup your devices. When you use the GUI , the settings just get persisted to inputs.conf (search for this file under etc/apps) , so you can also just edit this file directly to create your setup.

February 11, 2015


I’m using the SNMP Modular Input and have my IP cameras and my ESXi servers connected to it. But I have some questions regarding the MIBs:

How can I see which MIBs are included? The SPLUNK_HOME/etc/apps/snmp_ta/bin/mibs/pysnmp_mibs-0.1.4-py2.7.egg is an binary file. So opening with nano doesn’t help and fgrep is only saying that are matches but there’s no output of the found matches.

I would like to import MIBs for VMware vSphere. But there are about 50 MIB files per ESXi version. So the manual import as described above isn’t a good solution because I’ve got two different versions of ESXi. And in the future I want to update one of my ESXi to vSphere 6.0. This means importing 150 files, right? Or which ones do I need to import when using the free hypervisor?



Stefan Mössner
April 11, 2015

Hello Damien,
Great work.
Is it possible to use modular Input just to listen to the traps. What if I dont want it to poll my system for SNMP Input, rather I want to initiate conversation using snmptrap and I just want the add-on to listen and act to what traps say.

April 15, 2015

Can it work on splunk forwarder?
I tried,but got nothing.

It work well on splunk indexer.

April 17, 2015

All folks who have asked a question here.. can you please post it on , that forum is more appropriate for inline answering of questions. Cheers.

April 20, 2015

Splunk server is pretty good processing all its stems.

jem smith
August 27, 2015

Post a Comment

Your email is never published nor shared. Required fields are marked *