Integrating with Splunk
When you integrate TrueSight Operations Management with Splunk, you can generate events in TrueSight whenever an alarm action is triggered in Splunk.
This integration is tested with Splunk 8.1.1 and later.
On the TrueSight Infrastructure Management server
- Create the
Add the following lines to the file.
SPLUNK_EV ISA EVENT
Save the file.
.loadfile present in the classes folder.
Add the name of the
.barocfile to the
Do not enter the file extension.
Compile the cell kb by running the following command from the command prompt:
mccomp -n <cell_name>
On the Splunk enterprise server
- Log on to https://splunkbase.splunk.com/ and download the
- Log on to the Splunk enterprise server web UI with administrative privileges.
- Click Manage Apps beside Apps.
- Click Install app from file.
- Select the downloaded
TA-truesight.tar.gzfile and click Upload.
Ensure that you see the success message.
- Create an alert:
- Click Search & Reporting.
- Add the query to fetch data.
index="_audit" action="login attempt" "info=failed".
- Click .
- Click Save As > Alert.
- On the Save as Alert page, enter an alert name and set Alert type to Real-time.
- In the Trigger Action section, click Add Action and select BMC TrueSight Event Integration.
- Save the alert.
When an alert is triggered, an event of the
SPLUNK_EVclass will be generated in TrueSight Operations Management.
If you do not find such events, check the
/tmp/bmc.outfile on the Splunk Enterprise Server where more details are available. For any other issues, contact BMC Support.