SNMP Data Format¶
SC4SNMP classifies SNMP data elements as metrics or textual fields. Metric types are usually the indicators worth monitoring, which change dynamically, while textual fields are helpful context to understand what an SNMP object means.
SC4SNMP classifies the data element as a metric when its type is one of the following:
Unsigned
Counter
TimeTicks
Gauge
Integer
Every other type is interpreted as a field value.
Sometimes, the MIB file indicates a field as an INTEGER
, but there is also some mapping defined. See the followingIF-MIB.ifOperStatus
example:
ifOperStatus OBJECT-TYPE
SYNTAX INTEGER {
up(1), -- ready to pass packets
down(2),
testing(3), -- in some test mode
unknown(4), -- status can not be determined
-- for some reason.
dormant(5),
notPresent(6), -- some component is missing
lowerLayerDown(7) -- down due to state of
-- lower-layer interface(s)
}
Here a numeric value is expected, but actually what SNMP Agents ends up receiving from the device is a string
value,
like up
. To avoid setting textual value as a metric, SC4SNMP does an additional check and tries to cast the
numeric value to float. If the check fails, the value is classified as a textual field.
See the following simple example. You just added a device and did not configure anything special. The data from a walk in Splunk’s metrics index is:
{
ifAdminStatus: up
ifDescr: GigabitEthernet1
ifIndex: 1
ifOperStatus: up
ifPhysAddress: 0a:aa:ef:53:67:15
ifType: ethernetCsmacd
metric_name:sc4snmp.IF-MIB.ifInDiscards: 0
metric_name:sc4snmp.IF-MIB.ifInErrors: 0
metric_name:sc4snmp.IF-MIB.ifInOctets: 3873878708
metric_name:sc4snmp.IF-MIB.ifInUcastPkts: 47512921
metric_name:sc4snmp.IF-MIB.ifInUnknownProtos: 0
metric_name:sc4snmp.IF-MIB.ifLastChange: 454107556
metric_name:sc4snmp.IF-MIB.ifMtu: 1500
metric_name:sc4snmp.IF-MIB.ifOutDiscards: 0
metric_name:sc4snmp.IF-MIB.ifOutErrors: 0
metric_name:sc4snmp.IF-MIB.ifOutOctets: 1738565177
metric_name:sc4snmp.IF-MIB.ifOutUcastPkts: 44295751
metric_name:sc4snmp.IF-MIB.ifSpeed: 1000000000
}
You can see a textual part:
ifAdminStatus: up
ifDescr: GigabitEthernet1
ifIndex: 1
ifOperStatus: up
ifPhysAddress: 0a:aa:ef:53:67:15
ifType: ethernetCsmacd
And a metric one:
metric_name:sc4snmp.IF-MIB.ifInDiscards: 0
metric_name:sc4snmp.IF-MIB.ifInErrors: 0
metric_name:sc4snmp.IF-MIB.ifInOctets: 3873878708
metric_name:sc4snmp.IF-MIB.ifInUcastPkts: 47512921
metric_name:sc4snmp.IF-MIB.ifInUnknownProtos: 0
metric_name:sc4snmp.IF-MIB.ifLastChange: 454107556
metric_name:sc4snmp.IF-MIB.ifMtu: 1500
metric_name:sc4snmp.IF-MIB.ifOutDiscards: 0
metric_name:sc4snmp.IF-MIB.ifOutErrors: 0
metric_name:sc4snmp.IF-MIB.ifOutOctets: 1738565177
metric_name:sc4snmp.IF-MIB.ifOutUcastPkts: 44295751
metric_name:sc4snmp.IF-MIB.ifSpeed: 1000000000
To which Splunk index will my data go?¶
Metric index¶
The rule is, if we poll a profile with AT LEAST one metric value, it will go to the metric index and will be enriched with all the textual fields you have for the object. For example, when polling:
profile_with_one_metric:
frequency: 100
varBinds:
- ['IF-MIB', 'ifOutUcastPkts']
- ['IF-MIB', 'ifInUcastPkts']
The record that you will see in Splunk | mpreview index=net*
for the same case as the previous one would be:
ifAdminStatus: up
ifDescr: GigabitEthernet1
ifIndex: 1
ifOperStatus: up
ifPhysAddress: 0a:aa:ef:53:67:15
ifType: ethernetCsmacd
metric_name:sc4snmp.IF-MIB.ifOutUcastPkts: 44295751
metric_name:sc4snmp.IF-MIB.ifInUcastPkts: 47512921
Only fields specified in varBinds
are actively polled from the device. In the case of the previous profile_with_one_metric
, the textual fields ifAdminStatus
, ifDescr
, ifIndex
, ifOperStatus
and ifPhysAddress
are taken from the database cache. This is updated on every walk process. This is fine in most cases, as values such as
MAC address, interface type, or interface status should not change frequently if at all.
If you want to keep ifOperStatus
and ifAdminStatus
up to date all the time, define profile using the following example:
profile_with_one_metric:
frequency: 100
varBinds:
- ['IF-MIB', 'ifOutUcastPkts']
- ['IF-MIB', 'ifInUcastPkts']
- ['IF-MIB', 'ifOperStatus']
- ['IF-MIB', 'ifAdminStatus']
The result in Splunk will look the same, but ifOperStatus
and ifAdminStatus
will be actively polled.
Event index¶
It is possible to create an event without a single metric value. In such scenario, it will go to an event index. See the following example of profile under that scenario:
profile_with_only_textual_fields:
frequency: 100
varBinds:
- ['IF-MIB', 'ifDescr']
- ['IF-MIB', 'ifName']
- ['IF-MIB', 'ifOperStatus']
In the following example, no additional enrichment will be done. The events in event index index=netops
of Splunk would look like:
{ [-]
IF-MIB.ifDescr: { [-]
name: IF-MIB.ifDescr
oid: 1.3.6.1.2.1.2.2.1.2.5
time: 1676302789.9729967
type: f
value: VirtualPortGroup0
}
IF-MIB.ifName: { [-]
name: IF-MIB.ifName
oid: 1.3.6.1.2.1.31.1.1.1.1.5
time: 1676302789.6655216
type: f
value: Vi0
}
IF-MIB.ifOperStatus: { [-]
name: IF-MIB.ifOperStatus
oid: 1.3.6.1.2.1.2.2.1.8.5
time: 1676302789.6655502
type: g
value: up
}
}