Integrating with Splunk
When you integrate TrueSight Operations Management with Splunk, you can generate events in TrueSight whenever an alarm action is triggered in Splunk.
This integration is tested with Splunk 8.1.1 and later.
On the TrueSight Infrastructure Management server
- Create the
SPLUNK_EV
class.Go to
$MCELL_HOME/etc/<TSIM_cell>/kb/classes
.Create a
.baroc
file.
For example,splunk.baroc
.Add the following lines to the file.
MC_EV_CLASS:
SPLUNK_EV ISA EVENT;
END
Save the file.
Open the
.load
file present in the classes folder.Add the name of the
.baroc
file to the.load
file.
Do not enter the file extension.Compile the cell kb by running the following command from the command prompt:
mccomp -n <cell_name>
On the Splunk enterprise server
- Log on to https://splunkbase.splunk.com/ and download the
TA-truesight.tar.gz
file. - Log on to the Splunk enterprise server web UI with administrative privileges.
- Click Manage Apps beside Apps.
- Click Install app from file.
- Select the downloaded
TA-truesight.tar.gz
file and click Upload.
Ensure that you see the success message. - Create an alert:
- Click Search & Reporting.
- Add the query to fetch data.
For example,index="_audit" action="login attempt" "info=failed"
. - Click .
- Click Save As > Alert.
- On the Save as Alert page, enter an alert name and set Alert type to Real-time.
- In the Trigger Action section, click Add Action and select BMC TrueSight Event Integration.
- Save the alert.
When an alert is triggered, an event of theSPLUNK_EV
class will be generated in TrueSight Operations Management.If you do not find such events, check the
/tmp/bmc.out
file on the Splunk Enterprise Server where more details are available. For any other issues, contact BMC Support.
Comments
Log in or register to comment.