Skip to main content
Version: 3.2


Cribl LogStream supports receiving data from SNMP Traps.

Type: Push | TLS Support: NO | Event Breaker Support: No

Configuring Cribl LogStream to Receive SNMP Traps

In the QuickConnect UI: Click + New Source, or click + Add beside Sources. From the resulting drawer's tiles, select [Push >] SNMP Trap. Next, click either + Add New or (if displayed) Select Existing. The drawer will now provide the following options and fields.

Or, in the Data Routes UI: From the top nav of a LogStream instance or Group, select Data > Sources. From the resulting page's tiles or the Sources left nav, select [Push >] SNMP Trap. Next, click + Add New to open a New Source modal that provides the following options and fields.

LogStream ships with an SNMP Trap Source preconfigured to listen on Port 9162. You can clone or directly modify this Source to further configure it, and then enable it.

General Settings

Input ID: Enter a unique name to identify this Source definition.

Address: Address to bind on. Defaults to (all addresses).

UDP Port: Port on which to receive SNMP traps. Defaults to 162.

Processing Settings

Fields (Metadata)

In this section, you can add fields/metadata to each event using Eval-like functionality.

Name: Field name.

Value: JavaScript expression to compute field's value (can be a constant).


In this section's Pipeline drop-down list, you can select a single existing Pipeline to process data from this input before the data is sent through the Routes.

Advanced Settings

IP allowlist regex: Regex matching IP addresses that are allowed to send data. Defaults to .* i.e. all IPs.

Max buffer size (events) : Maximum number of events to buffer when downstream is blocking. Defaults to 1000.

Environment: If you're using GitOps, optionally use this field to specify a single Git branch on which to enable this configuration. If empty, the config will be enabled everywhere.

Connected Destinations

Select Send to Routes to enable conditional routing, filtering, and cloning of this Source's data via the Routing table.

Select QuickConnect to send this Source’s data to one or more Destinations via independent, direct connections.

Internal Fields

Cribl LogStream uses a set of internal fields to assist in handling of data. These "meta" fields are not part of an event, but they are accessible, and Functions can use them to make processing decisions.

Fields for this Source:

  • __inputId
  • __srcIpPort : In this particular Source, this field uses a pipe (|) symbol to separate the source IP address and the port, in this format: event.__srcIpPort = ${rInfo.address}|${rInfo.port};
  • __snmpVersion: Acceptable values are 0, 2 , or 3. These respectively indicate SNMP v1, v2c, and v3.
  • __snmpRaw: Buffer containing Raw SNMP packet

Considerations for Working with SNMP Trap Data

  • It's possible to work with SNMP metadata (i.e., we'll decode the packet). Options include dropping, routing, etc.

  • SNMP packets can be forwarded to other SNMP destinations. However, the contents of the incoming packet cannot be modified – i.e., we'll forward the packets verbatim as they came in.

  • SNMP packets can be forwarded to non-SNMP destinations (e.g., Splunk, Syslog, S3, etc.).

  • Non-SNMP input data cannot be sent to SNMP destinations.