2 Replies Latest reply on Nov 30, 2016 9:19 PM by jbrunke

    SNMP trap to NPM alert

    jbrunke

      OK, I've poured over the threads available here at thwack that explain different methods to trigger and alert and clear that alert when corresponding trap comes in.  I have an example that is slightly different from others I've seen here, I'd like to get some help with.

       

      Scenario - another monitoring tool (HP BSM) sends a trap as an action when an alert condition is raised:

       

      11/29/2016 8:08:20 AM    10.10.10.10     pwbsmdps02     public     SNMPv2-SMI:enterprises.5233.4.0.1     snmpTrapEnterprise = SNMPv2-SMI:enterprises.5233.4

      experimental.1057.1.0 = 10.10.10.10

      sysUpTime = 226 days 5 hours 16 minutes 34.05 seconds

      snmpTrapOID = SNMPv2-SMI:enterprises.5233.4.0.1

      enterprises.5233.4.10 = Business Transaction Flow:LMS;transaction:LMS_003_Auth;

      enterprises.5233.4.9 = d4aec8817ec54e330fcc047bac0890ea

      enterprises.5233.4.8 = N/A

      enterprises.5233.4.7 = Response time for 2 out of 3 transactions was greater than 8.00 seconds.;

      enterprises.5233.4.6 = For Business Transaction Flow "LMS", transaction "LMS_003_Auth". Response time for 2 out of 3 transactions greater than 8.00 seconds.;

      enterprises.5233.4.5 = Major

      enterprises.5233.4.4 = 33dcb5b068c72fdb8779050b29df5c2c

      enterprises.5233.4.3 = Regular Alert

      enterprises.5233.4.2 = ITO: LMS Performance Alerts

      enterprises.5233.4.1 = LMS

       

      It also will send a corresponding clear trap when the alert clears:

      1/29/2016 8:29:38 AM    10.10.10.10     pwbsmdps02     public     SNMPv2-SMI:enterprises.5233.4.0.1     snmpTrapEnterprise = SNMPv2-SMI:enterprises.5233.4

      experimental.1057.1.0 = 10.10.10.10

      sysUpTime = 226 days 5 hours 16 minutes 34.05 seconds

      snmpTrapOID = SNMPv2-SMI:enterprises.5233.4.0.1

      enterprises.5233.4.10 = Business Transaction Flow:LMS;transaction:LMS_003_Auth;

      enterprises.5233.4.9 = d4aec8817ec54e330fcc047bac0890ea

      enterprises.5233.4.8 = N/A

      enterprises.5233.4.7 = Response time for 1 out of 3 transactions was greater than 8.00 seconds.;

      enterprises.5233.4.6 = For Business Transaction Flow "LMS", transaction "LMS_003_Auth". Response time for 2 out of 3 transactions greater than 8.00 seconds.;

      enterprises.5233.4.5 = Informational

      enterprises.5233.4.4 = 33dcb5b068c72fdb8779050b29df5c2c

      enterprises.5233.4.3 = Follow Up Alert

      enterprises.5233.4.2 = ITO: LMS Performance Alerts

      enterprises.5233.4.1 = LMS

       

      The traps always come from the same IP/Hostname: 10.10.10.10/pwbsmdps02

       

      So in following other examples here, I created two rules in the trap viewer:

       

      BSM Alert:

       

       

      BSM Clear:

       

       

       

      Note: ${vbData4} contains the unique alert identifier, which is why I chose it to correlate the events.  I verified in the Trap Viewer that new traps are colored properly.

       

      Next, I created an new Alert in NPM:

       

      Trigger:

      Reset:

       

      Now here is where I am stuck...  I would like to pull this varbind from the specific trap and put it into the Message displayed when this alert is triggered:

      enterprises.5233.4.6 = For Business Transaction Flow "LMS", transaction "LMS_003_Auth". Response time for 2 out of 3 transactions greater than 8.00 seconds.;

       

      Is this even possible?!

        • Re: SNMP trap to NPM alert
          RichardLetts

          You'll need to define a custom sql properly to pull the varbind;

           

          Personally I'd copy the varbind you're interested to into the TAGS on the snmp trap receiver.

          then use a custom SQL variable into the message being logged.

          (untested)

          ${SQL:Select top 1 TAG FROM [dbo].[TRAPS] Where nodeid=${NodeID} and colorcode=255 order by datetime desc }
            • Re: SNMP trap to NPM alert
              jbrunke

              Thanks Richard.  OK I followed your example but got a bit crazier

               

              ${SQL:SELECT top 1 b.oidvalue from traps a  

              INNER JOIN trapvarbinds b

              ON a.trapid = b.trapid

              where a.nodeid = ${NodeID}

              and colorcode=255

              AND b.oidname = 'enterprises.5233.4.6'

              order by datetime desc }

               

              I've got it setup and am waiting for some traps...  I'll let you know how it goes... 

               

              Man I really wish they would improve this part of the product soon.  Really frustrating to be able to receive traps but not be able to easily create alerts from them...