Integrating with Splunk

When you integrate TrueSight Operations Management with Splunk, you can generate events in TrueSight whenever an alarm action is triggered in Splunk.

This integration is tested with Splunk 8.1.1 and later.

On the TrueSight Infrastructure Management server 

  1. Create the SPLUNK_EV class.
    1. Go to $MCELL_HOME/etc/<TSIM_cell>/kb/classes.

    2. Create a .baroc file.
      For example, splunk.baroc.

    3. Add the following lines to the file.
      MC_EV_CLASS:
      SPLUNK_EV ISA EVENT
      END

    4. Save the file.

    5. Open the .load file present in the classes folder.

    6. Add the name of the .baroc file to the .load file.
      Do not enter the file extension.

    7. Compile the cell kb by running the following command from the command prompt:
      mccomp -n <cell_name>

On the Splunk enterprise server

  1. Log on to https://splunkbase.splunk.com/ and download the TA-truesight.tar.gz file.
  2. Log on to the Splunk enterprise server web UI with administrative privileges.
  3. Click Manage Apps beside Apps.
  4. Click Install app from file.

  5. Select the downloaded TA-truesight.tar.gz file and click Upload.
    Ensure that you see the success message. 
  6. Create an alert:
    1. Click Search & Reporting.
    2. Add the query to fetch data.
      For example, index="_audit" action="login attempt" "info=failed"

    3. Click .
    4. Click Save As > Alert.

    5. On the Save as Alert page, enter an alert name and set Alert type to Real-time.
    6. In the Trigger Action section, click Add Action and select BMC TrueSight Event Integration



    7. Save the alert.
      When an alert is triggered, an event of the SPLUNK_EV class will be generated in TrueSight Operations Management. 

      If you do not find such events, check the /tmp/bmc.out file on the Splunk Enterprise Server where more details are available. For any other issues, contact BMC Support.


Was this page helpful? Yes No Submitting... Thank you

Comments