Integrating with Splunk Enterprise

Use the BMC Helix Intelligent Integrations Splunk Enterprise connector to collect events and metrics data from Splunk Enterprise, and view the collected data in the following BMC Helix applications to derive actionable insights:  

• BMC Helix Operations Management (Events and metrics) 
• BMC Helix AIOps (Situations)

As a tenant administrator, perform the following steps to configure a connection with Splunk , verify the connection, and view the collected event and metric data in various BMC Helix applications.

Watch the following video (10:25) to learn how to collect events and metrics data fromSplunk Enterprise and view the collected data in BMC Helix Operations Management.

https://youtu.be/ixjY99sayfY

Supported versions

This connector supports the following versions of Splunk Enterprise for data collection:

• 7.x
• 8.x

Before you begin

Before you configure a connection with Splunk, ensure that the following prerequisites are met.

Splunk Enterprise prerequisites

• This connector collects data from Splunk reports. A Splunk report contains events and metrics information. Ensure that the Splunk user account that you plan to use when configuring the Splunk connector has access to the required Splunk report.
• Ensure that the Splunk report from which you want to collect data is part of the Search & Reporting application (Search app). For details, see the Search app in the Splunk documentation.

  For example, the following figure shows the Splunk_II_Events report, which is part of the Search app. This report contains events from a third-party product. 

   
  

• To display meaningful data in BMC Helix Operations Management from a Splunk report containing events from a third-party product, the report should meet the following criteria:

  • The report must have fields that contain the following type of information:

    • Event ID: An identifier that can be concatenated with other fields in the report to get a unique identifier. For example, you can concatenate this identifier with issue, and differentiate events that differ only by status.
    • Title: Indicates the event’s title snippet. for example, High CPU alert.

    • Severity: Indicates the event severity.

      Important

      If severity is represented by numeric values in Splunk (for example, 1, 2), convert the values to a string format with the following possible values for ingestion into BMC Helix Operations Management:
      

      • Ok
      • Critical
      • Minor 
      • Major
      • Minor
      • Warning
      • Unknown

      For information about conversion, see Comparison and Conditional functions in the  Splunk documentation.

      
      

    • Status: Indicates the event status.
      

      Important

      If status is represented by numeric values in Splunk (for example, 1, 2), convert values to a string format with the following possible values for ingestion into BMC Helix Operations Management :

      • Created
      • Closed

      For information about conversion, see Comparison and Conditional functions in the Splunk documentation.

    • Host (default field): Indicates the host where the issue was observed.
  • In addition, the report can have other fields containing the following type of information such as:
    
    • Category (optional): Indicates the event category.
    • Subcategory (optional): Indicates the event subcategory.
    • Origin URI (optional): Indicates the origin of the event.

  • For example, the following sample report (Splunk_II_Events) contains the following fields: EventId, Severity, Summary, and Type

    Important

    • This is only a sample report. You can have as many fields as required in your report and name these fields as per your requirements. 
    • The field labels in a report might not indicate the type of information they contain. For example, in the sample report, the Type field contains the status information and the Summary field contains the title information. 

     
    
    
    

• • The Splunk fields from which you want to collect data and map to BMC Helix Intelligent Integrations while configuring the connector must appear under Selected Fields. For example, if you want to map EventId, Severity, or Type fields, these fields must appear under Selected Fields.

      
    For more information, see Selected fields in the Splunk documentation.

• To display meaningful data in BMC Helix Operations Management from a Splunk report containing metrics from a third-party product must meet the following criteria:
  • The report should contain the following type of information:
    
    • timestamp

    • metrics
      For example, the following sample report (Messages by minute last 3 hours) contains the following columns: _time, /opt/splunk/var/log/introspection/resource usage.log, and so on.

      Important

      This is only a sample report. You can have as many metric columns as required in your report and name these columns as per your requirements.

       

  • The report fields containing metrics must have numeric datatype.

BMC Helix Intelligent Integrations prerequisites

Depending on the type of Splunk deployment, do one of the following:

• If Splunk is deployed in your SaaS environment:
  1. Obtain the egress IP of your tenant. Request the egress IP from BMC Software if you don't already have it.
  2. To allow communication from the egress IP (Splunk connector) to the Splunk host, open the port on which the Splunk host is listening.
• If Splunk is deployed in your on-premises environment: Deploy the  BMC Helix Intelligent Integrations Gateway. For instructions, see Deploying the BMC Helix Intelligent Integrations Gateway.

To configure a connection with Splunk Enterprise

1. Log on to BMC Helix Portal, and click Launch on BMC Helix Intelligent Integrations.

2. On the CONNECTORS tab, click in the SOURCES panel.
3. Click the Splunk tile.
4. Specify the following details for the source connection:
   1. Specify the Splunk host name.
   2. Specify the Splunk HTTP or HTTPS port number depending on the connection protocol. The default port number is 8089.
   3. Select the HTTPS option to use an https connection to the Splunk  host.
   4. Enter the user name and password for the Splunk host.
5. Click VALIDATE AND CREATE.
   The specified connection details are validated and the corresponding source connection is created in the Source Connection list.

6. Select the source connection that you created from the Source Connection list if it is not selected already.
   

   Important

   The destination host connection is created and configured automatically for each tenant when the source connection is created.

   
   

7. Clear the option for the data type for which you don't want to collect data. By default, all the options are selected.

8. Configure the collectors for the selected data types by clicking the respective data type in the Collectors section. Specify the parameters for the selected data type, as explained in the following table:
   
   Note: The  symbol indicates that this field is applicable to the data type and indicates that this field is not applicable to the data type.
   

   Parameter name and description	Data Type
   	Splunk Events	Splunk Metrics
   Collection Schedule Specify the data collection frequency (in minutes). Default: 5 minutes Example: Collection Schedule is set to 5 mins.  Current time is 00:30. If you run the collector just after 00:30, data is collected every 5 mins, first at 00:30 and next at 00:35, and so on. For more information about how this parameter affects data collection, see Data collection schedule.
   Data Collection Window Specify the historical time period (in minutes) from the current time for which the data should be collected from Microsoft SCOM.  Default: 5 minutes Example: Collection Schedule is set to 5 mins. Data Collection Window is set to 5 mins. Current time is 00:30. If you run the collector just after 00:30, data is collected first at 00:30 for the interval, 00:25 - 00:30, and next at 00:35 for the interval, 00:30 - 00:35, and so on. For more information about how this parameter affects data collection, see Data collection window.
   Data Latency Specify the time (in minutes) by which the data time window should be shifted back on the timeline. This parameter is useful in delayed data availability situations. Default: 0 minutes Example: Collection Schedule is set to 5 mins. Data Collection Window is set to 10 mins. Data Latency is set to 2 mins. Current time is 00:30. If you run the collector just after 00:30, data is collected first at 00:30 for the interval, 00:18 to 00:28 and next at 00:35 for the interval, 0:23 to 00:33, and so on. For more information about how this parameter affects data collection, see Data latency.
   Saved Search Name Select the name with which you have saved the report in Splunk. This list of reports is updated automatically from Splunk.
   Splunk Fields to exclude  Shows the list of fields for which data will not be collected.
   Severity Field Name Select a field available in the Splunk report from which you want to collect data and map to the Severity field in BMC Helix Intelligent Integrations. Important: The Severity Field Name list shows only those fields that are present in the Selected Fields list of the report. The report field that you want to map to the Severity field might not be named Severity in your report. If the name differs, select a field that contains the severity values. Ensure that the report field that you want to map to the Severity field has one of the following severity values: Ok Critical Minor  Major Warning Unknown
   Status Field Name Select a field available in the Splunk report from which you want to collect data and map to the Status field in BMC Helix Intelligent Integrations. Important: The Status Field Name list shows only those fields that are present in the Selected Fields list of the report. The report field that you want to map to the Status field might not be named Status in your report. If the name differs, select a field that contains the status values. For example, in the sample report, this field is named as Type. So, you need to select Type from this list.   Ensure that the report field that you want to map to the Status field has one of the following status values: Created Closed
   Event ID Field Name Select a field available in the Splunk report from which you want to collect data and map to the Event ID field in BMC Helix Intelligent Integrations. Important: The Event ID Field Name list shows only those fields that are present in the Selected Fields  list of the report. The report field that you want to map to the Event ID field might not be named Event ID in your report. If the name differs, select a field that contains the event ID values.
   Title Field Name Select a field available in the Splunk report from which you want to collect data and map to the Title field in BMC Helix Intelligent Integrations. Important: The Title Field Name list shows only those fields that are present in the Selected Fields  list of the report. The report field that you want to map to the Title field might not be named Title in your report. If the name differs, select a field that contains the title value. For example, in the sample report, this field is named as Summary. So, you need to select Summary from this list.
   Description Field Name Select a field available in the Splunk report from which you want to collect data and map to the Description field in BMC Helix Intelligent Integrations. Important: The Description Field Name list shows only those fields that are present in the Selected Fields  list of the report. The report field that you want to map to the Description field might not be named Description in your Splunk report. If the name differs, select a field that contains the description value.
   Category Field Name Select a field available in the Splunk report from which you want to collect data and map to the Category field in BMC Helix Intelligent Integrations. Important: The Category Field Name list shows only those fields that are present in the Selected Fields list of the report. The report field that you want to map to the Category field might not be named Category in the Splunk report. If the name differs, select a field that has the category value.
   Subcategory Field Name Select a field available in the Splunk report from which you want to collect data and map to the Subcategory field in BMC Helix Intelligent Integrations. Important: The Subcategory Field Name list shows only those fields that are present in the Selected Fields  list of the report. The report field that you want to map to the Subcategory field might not be named Subcategory in your report. If the name differs, select a field that has the subcategory value.
   Origin URI Field Name Select a field available in the Splunk report from which you want to collect data and map to the Origin URI field in BMC Helix Intelligent Integrations. Important: The Origin URI Field Name list shows only those fields that are present in the Selected Fields  list of the report. The report field that you want to map to the Origin URI field might not be named Origin URI in your report. If the name differs, select a field that has the origin URI value.
   Configuration ID Select a field available in the Splunk report from which you want to collect data and map to the Configuration ID field in BMC Helix Intelligent Integrations. Important: The Configuration ID list shows only those fields that are present in the Selected Fields list of the report. The report field that you want to map to the Configuration ID field might not be named Configuration ID in your report. If the name differs, select a field that has the configuration ID value.
   Configuration Item Type Select a field available in the Splunk report from which you want to collect data and map to the Configuration Item Type field in BMC Helix Intelligent Integrations. Important: The Configuration Item Type list shows only those fields that are present in the Selected Fields list of the report. The report field that you want to map to the Configuration Item Type field might not be named Configuration Item Type in your report. If the name differs, select a field that has the configuration item type value.
   Maximum results per page (Advanced parameter) Specify the maximum number of results that should be displayed per page.  Default: 10000
   Results Timeout (Advanced parameter) Specify the time, in minutes, after which no result should be displayed.  Default: 1 minute
   Field Name Select a field available in the Splunk report containing metrics that you want to collect.  For example, you can select /opt/splunk/var/log/introspection/resource_usage.log if you want to collect metrics data from this column in the sample report. Click the Add Field icon to add more fields for metrics collection. Important: The report fields containing metrics must have numeric datatype.
   Metric Name This field is reserved for future use. Do not enter any value in this field.

9. Click CREATE COLLECTORS to create the required collector streams for the selected data types.

10. Configure the distributors for the selected data types by clicking the respective data type in the Distributors section. Specify the parameters for the selected data type, as explained in the following table:
    

    Parameter name and description
    Max Batching Size Specify the maximum number of data items to send in a single POST request to the destination API. The batch size depends on the destination’s ability to buffer the incoming data. Default: 250
    Max Batching Delay Specify the maximum time (in seconds) to wait before building a batch and processing. Default: 3 seconds
    Base Retry Delay Specify the initial time (in seconds) for which to wait before retrying to build a batch and processing. The waiting time increases in the following sequence: n1, n2, n3, and so on, where n indicates the number of seconds. Default: 2 seconds Example: Base Retry Delay is set to 2 seconds. Retry is performed after 2, 4, 8, 16, ... seconds.
    Max Intra-Retry Delay Specify the maximum limit for the base retry delay.  Default: 60 seconds Example: Max Intra-Retry Delay is set to 60 seconds. Base Retry Delay is set to 2 seconds. Retries are performed 2, 4, 8, 16, 32, 64, 64,...seconds later again.
    Max Retry Duration Specify the total time for retrying a delivery. For REST destinations, a delivery is a batch of data items in one POST request.  Default: 5 minutes Example: Max Retry Duration is set to 8 hours. Base Retry Delay is set to 2 seconds. Requests are sent for 2+4+8+16+32+64+132... until 8 hours in total duration is reached. After that, no subsequent attempts are made to retry the delivery. The assumption here is that if there is an outage or other issue with the destination tool, recovery should take less than the value of the Max Retry Duration parameter to complete.

    
    
11. Click CREATE DISTRIBUTORS to create the required distributor streams for the selected data types.
12. Click one of the following buttons:
    
    • SAVE STREAM : Click this button if you want to edit the integration details before creating the instance. After you save the stream, the connector that you just created is listed in the SOURCES panel. Move the slider to the right to start the data stream.
    • SAVE AND START STREAM : Click this button if you want to save the integration details and start receiving data immediately.

          For more information about the data streams, see Starting or stopping data streams.

To verify the connection

From BMC Helix Intelligent Integrations , on the SOURCES panel, confirm that the data streams for the connection you created are running. Data streaming is indicated by moving colored arrows.

• A moving blue arrow (  ) indicates that event data is being streamed.
• A moving red arrow ( ) indicates that metric data is being streamed.

To view data in BMC Helix applications

View data collected from Splunk in multiple BMC Helix applications.

To view events in BMC Helix Operations Management

1. In BMC Helix Operations Management, select Monitoring > Events.
2. Filter the events by the SplunkEvent class.
   

Incoming events from Splunk are processed in BMC Helix Operations Management through a set of deduplication rules to determine whether the incoming event is a duplicate event or a new event. For more information, see Event deduplication and suppression for reducing event noise.

For more information about events, see Monitoring and managing events .

To view metrics in BMC Helix Operations Management

1. In BMC Helix Operations Management, select Monitoring > Devices.
2. Click the links for the required device.
3. On the Monitors tab, click the required monitor.
   The Performance Overview tab shows the metrics graph. 
   
   
   
   

For information about metrics, see Viewing collected data.

To view Situations in BMC Helix AIOps

Before you begin

1. Ensure that CIs are present in BMC Helix Discovery orBMC Helix AIOps for the events that are being collected from the Splunk report.
2. Create a Business Service model in one of the following applications:
   • BMC Helix Discovery. For more information, see Creating a model.
   • BMC Helix AIOps. For more information, see Modeling services.  
3. Ensure that you have performed one of the following tasks:
   • To view ML-based situations, the AIOps Situations feature is enabled in BMC Helix AIOps. For more information, see Enabling the AIOps features.
   • To view policy-based situations, the correlation policy is created in BMC Helix Operations Management. For more information, see Creating and enabling event policies.

To view Situations

1. In BMC Helix AIOps , go to the Situations page.
   This page shows the Situation created from the events that are ingested into BMC Helix Operations Management. 
2. Click the required Situation to view the messages contained in the Situation and other details such as priority and severity of the message. 
   The following figure shows a sample Situation created from three events:
   
   

For information about Situations, see Monitoring situations.

Mapping between Splunk and BMC Helix Operations Management

The following table shows the mapping between Splunk and BMC Helix Operations Management: