This article aims at providing an insight into how SNMP Discovery works.


  • SNMP Version - This is one critical check that has to be verified for the target host. 
    • ServiceNow Discovery supports SNMP versions 1, 2c and 3.
    • Discovery uses version 1 and 2c by default.
    • The support for version 3 must be explicitly enabled.
    • MID Servers support all SNMP protocol versions by default.
    • You can also set a MID Server to only support specific versions of SNMP.
  • Credentials - Credentials for SNMP do not include a user name, just a password, called the community string.
    • The default read-only community string for many SNMP devices is public, and Discovery will try that automatically.
    • Enter the appropriate SNMP credentials if they differ from the public community string.

MID server capabilities and requirements

No additional capability needs to be verified for running discovery on SNMP devices. The MID should just have the ability to perform DISCOVERY.

SNMP Discovery Flow in a base system

  • ServiceNow's discovery process has the capability to discover devices managed by SNMP. A few example devices-
    • Switches (Stacked switches as well starting Kingston)
    • Routers
    • Printers
    • Controllers of Wireless Access Points
    • Load Balancers
  • The Discovery process uses MIBs and OIDs to Classify, Identify and Explore Network-enabled devices.
    • MIB - Management Information Base is like a database that contains a set of Values, both statistical and control, that are defined by the network device. Device vendors also have a choice to choose the MIBs which are referred to as private MIBs.
    • OID - Object Identifier is a representation followed by the SNMP implementation which is a combination of MIB + Object of Interest. The Object of interest can be defined as the parameter value which a polling device can look for, say for example the Devices' uptime.
    • Say, for example, a Device has OID = Below is how it adds up- 



  • Quick brief of discovery phases-
    • Shazzam or Scan phase - For the user-provided IP address, the Shazzam polls the device and checks the port(s) it's responding on. Say, in our scenario, the expected port to be responding for the device is 161. There are all chances that an organization might have customized the port on which SNMP runs and hence, it has to be duly checked.
    • Classification phase - For any active port, the 'port probes' module will have the set of probes or Patterns to be triggered and for SNMP devices it's usually 'SNMP - Classify'. This probe mainly aims at extracting valid OID from the target device. The Input payload for 'SNMP - Classify' looks like the below-


          • The 'sysDescr' tags define the type of device
          • The 'sysObjectID' tag contains the OID.
      • Device classification is handled by the SNMP discovery process in the below way
        • There would be specific SNMP classifiers for that are defined for each device type. They can be found under the table discovery_classy_snmp.
        • For each classifier, you would find the classification criteria. This section/tab contains the condition that a target host has to satisfy in order to trigger a relevant classifier. All the different classification criteria records can be looked under discovery_class_criteria. The fetched OID would also be taken into consideration (If the OID exists in SNMP OID table and if it doesnt, even then the classification proceeds but the conditions of all available classifiers would be checked) for choosing the right classifier and the list of OIDs that which are defined and mapped to a classifier, found under the tab SNMP OID Classifications. All the OID specific information can be found under discovery_snmp_oid.
        • Once the right classifier is chosen, the probe that has to be triggered based on the condition match during classification would be defined under 'Trigger probes' section and they can also be viewed under discovery_classifier_probe.
        • Below is an example SNMP classifier record for Standard Network router.

    • Identification phase- Per the obtained MIB, the classification phase feeds the Identification phase with the type of device and the necessary probes/patterns which are needed to be triggered to identify the device. The MIB of the target host gets polled to extract the 'object(s) of interest' which in turn would be the details that are expected to be populated for the CI. In general, the SNMP MIBs are present in ecc_agent_mib table on the instance and they are expected to be compiled and loaded on the MID server on which the discovery is running from. Please note that not all MIBs are present OOTB and have to be added as per the requirement. If there is no relevant MIB, the discovery doesn't go beyond classification phase.
    • Exploration phase- In the exploration phase, the target host gets further explored for obtaining internal details by triggering the Layer-2 discovery.


  • Detailed SNMP discovery flow-



  • Common issues and a possible solution-




Note - There is a flexibility to add parameters to the SNMP probe. There would be scenarios where OID Children needs to be identified and explored or a time out to be set. To understand more about how to do this, please refer to ServiceNow's documentation for 'SNMP probe parameters' and how to add them.

SNMP Probe parameters  

There are additional probe parameters that can be used while discovering an SNMP device. (We do have documentation for the same, for each release)


ParameterDescriptionDefault Value
oid_spec_listA list of OID specifications, one per line. Each specification must be in one of the following two forms:
  •  walk {OID}: Walks the OID and all its children
  •  table {OID} {OID Children}: Walks all entries in the table, returning only the given children (for example, "")

{OID Children} refers to a comma-delimited list of child nodes within the entries for the given table. For example, "ifEntry.ifIndex,ifEntry.ifDescr,ifEntry.ifType" are OID children of the table "". As a convenience, the table entry prefix may be left off. (The preceding children could be specified as "ifIndex,ifDescr,ifType".)

Any child may include a filter qualifier in parentheses. For example, the child "entPhysicalContainedIn(=0)" specifies returning table entries only if the value of "entPhysicalContainedIn" equals 0. The operators supported in the expression are:
!=does not equal

If more than one child has a filter expression, a match on any one of the children causes that entry to be read.

Any content including and after a "//" is ignored (comments). Any OID that does not start with "" or "" automatically prefaces with "" as a convenience.

sourceThe IP address or host name of the device to query SNMP on.required
indexThe index to apply after the community string, for Cisco-style community string indexing (for VLAN interrogation).0
credential_idThe sys_id of a specific credential that is preferred for use above the rest. This parameter is for internal use only and is not supported.none
credential_tagThe credential tag that must be used. This parameter is for internal use only and is not supported.none

The timeout value (in milliseconds) to wait for a response, instead of the default. You can use this parameter to override themid.snmp.request.timeout SNMP MID Server configuration parameter.

Note: When use_getbulk is set to true, the timeout value is for an individual GETBULK request.
established_session_timeoutThe interval (in milliseconds) to wait for a response after at least one response has been received. Longer values can be useful for collecting complete and accurate data. You can use this parameter to override the mid.snmp.session.timeout SNMP MID Server configuration parameter.500
debugEnables debug logging. Set to true for debug mode.false
request_intervalThe interval (in milliseconds) between successive requests for an OID when a response has not been received, until the timeout (or established_session_timeout) value is reached. If this value is set to at least as long as the timeout (or established_session_timeout) value, then only a single request is sent for any particular OID. If you change the timeout (or established_session_timeout) value, adjust the request_interval at the same time to avoid sending too many or too few requests for the same OID, as appropriate for a given environment.400
request_delayThe interval (in milliseconds) between the receipt of a response and the transmission of the next request. The default is 0 (no delay). This value may be set to slow the overall rate of an SNMP query.0
result_formatReturns JSON formatted payloads for these probes:
  • SNMP - F5 BIG-IP - System
  • SNMP - Netscaler - System
  • SNMP - Routing
This parameter returns data in a more compact format to prevent sensor failure or memory problems on a node when the payload becomes large. Do not change this value or delete this parameter.
Caution: Use of this parameter with any other probes causes the sensor to fail.

Enables the use of SNMP GETBULK requests to retrieve tabular data from SNMP devices instead of using multiple SNMP GETNEXT requests. For tabular data, GETBULK is more efficient. Regardless of the request type, certain devices may not return any results when they are busy with other tasks.

This parameter is used to configure at the probe level. GETBULK can also be set for an individual MID Server or globally for all MID servers. Settings are listed in the order of precedence:

The established_session_timeout, request_interval, andrequest_delay parameters are ignored when use_getbulk is set to true. Instead, the retries parameter is available. The timeout configuration is the same one used by use_getscalar.

By default, the following probes use GETBULK requests (the parameter value is true).
  • SNMP - Switch - Vlan
  • SNMP - Switch - BridgePortTable
  • SNMP - Switch - ForwardingTable
  • SNMP - Switch - SpanningTreeTable
  • SNMP - Network - ArpTable
  • SNMP - Layer 2 Protocol Caches
  • SNMP - F5 BIG IP - System (only for Service Mapping customers)
Note: These probes have a timeout value of 5000.
use_getscalarEnables the use of simplified retrieval and handling of scalar values from SNMP devices.

The established_session_timeout, request_interval, and request_delay parameters are ignored when use_getscalar is set to true. Instead, the retries and timeout parameters are available. The timeout configuration is the same one used byuse_getbulk.

retriesThe number of additional attempts Discovery makes to complete an individual GETBULK request (see use_getbulk) or a GETNEXT request when the use_getscalar parameter is set totrue.2


SNMP sys_properties  

glide.discovery.L3_mapping - Should be enabled if the ask is to extract a logical mapping of the TCP/IP layer for network gears. This is beyond Layer 2 discovery.

SNMP script includes 

Here are a few SNMP script includes that are useful to be handy -

  1. SnmpSensor - 
    • Retrieves the OID for the specified field name from the respective Probe for this Sensor.
    • Automatically trims the last object name off of Table SNMP field OIDs, for ease of use with the SNMPResponse class.
  2. SNMPResponse - Wraps an SNMP payload response instance with methods to safely and easily retrieve SNMP singleton fields or tables.
  3. SnmpIdentityInfoParser - Parses the 'SNMP - Identity Info' MultiProbe result, adding generic NICs and serial numbers to the passed CIData object.
  4. SNMPNetworkInterfaces - Handles creating network interfaces for JavaScript SNMP sensors.

Common issues and how to investigate

  • Troubleshooting SNMP issues from a MID server and how to perform SNMP walk - KB0696727
  • Discovery of Wireless Access Points (WAP) - KB0696039


1) Does SNMP discovery support V3 credentials?

Yes. A credential type 'SNMPv3 Credentials' can be used to configure the V3 credentials. 

2) Do we support Wireless access point discovery?

Yes if the WAP is expected to respond on SNMP.

No, if its doesn't and in this case, we may have to look at targeting the controller that would be parenting the WAPs.

3) Why do we see slowness while discovering SNMP devices?

In some cases, there will be differences between debug and runtime execution because during runtime the execution's demands more OIDs.

This may cause the device not to respond properly to SNMP queries because SNMP services on network devices are a low priority

In cases of inconsistency or any weird behaviour, Wireshark logs can be collected and reviewed.




Additional Information

Article Information

Last Updated:2019-11-13 19:10:05
Pasted image.pngPasted image.pngPasted image.pngPasted image.pngPasted image.pngPasted image.pngPasted image.pngPasted image.pngScreen Shot 2019-08-20 at 1.13.27 AM.png