Integrating with Splunk Enterprise
As a tenant administrator, perform the following steps to configure a connection with Splunk , verify the connection, and view the collected event and metric data in various BMC Helix applications.
Watch the following video (10:25) to learn how to collect events and metrics data fromSplunk Enterprise and view the collected data in BMC Helix Operations Management.
Supported versions
This connector supports the following versions of Splunk Enterprise for data collection:
- 7.x
- 8.x
Before you begin
Before you configure a connection with Splunk, ensure that the following prerequisites are met.
Splunk Enterprise prerequisites
- This connector collects data from Splunk reports. A Splunk report contains events and metrics information. Ensure that the Splunk user account that you plan to use when configuring the Splunk connector has access to the required Splunk report.
Ensure that the Splunk report from which you want to collect data is part of the Search & Reporting application (Search app). For details, see the Search app in the Splunk documentation.For example, the following figure shows the Splunk_II_Events report, which is part of the Search app. This report contains events from a third-party product.
- To display meaningful data in BMC Helix Operations Management from a Splunk report containing events from a third-party product, the report should meet the following criteria:
- The report must have fields that contain the following type of information:
- Event ID: An identifier that can be concatenated with other fields in the report to get a unique identifier. For example, you can concatenate this identifier with issue, and differentiate events that differ only by status.
- Title: Indicates the event’s title snippet. for example, High CPU alert.
Severity: Indicates the event severity.
Status: Indicates the event status.
- Host (default field): Indicates the host where the issue was observed.
- In addition, the report can have other fields containing the following type of information such as:
- The report must have fields that contain the following type of information:
- Category (optional): Indicates the event category.
- Subcategory (optional): Indicates the event subcategory.
- Origin URI (optional): Indicates the origin of the event.
For example, the following sample report (Splunk_II_Events) contains the following fields: EventId, Severity, Summary, and Type
The Splunk fields from which you want to collect data and map to BMC Helix Intelligent Integrations while configuring the connector must appear under Selected Fields. For example, if you want to map EventId, Severity, or Type fields, these fields must appear under Selected Fields.
For more information, see Selected fields in the Splunk documentation.
- To display meaningful data in BMC Helix Operations Management from a Splunk report containing metrics from a third-party product must meet the following criteria:
- The report should contain the following type of information:
- timestamp
metrics
For example, the following sample report (Messages by minute last 3 hours) contains the following columns: _time, /opt/splunk/var/log/introspection/resource usage.log, and so on.
- The report fields containing metrics must have numeric datatype.
- The report should contain the following type of information:
BMC Helix Intelligent Integrations prerequisites
Depending on the type of Splunk deployment, do one of the following:
- If Splunk is deployed in your SaaS environment:
- Obtain the egress IP of your tenant. Request the egress IP from BMC Software if you don't already have it.
- To allow communication from the egress IP (Splunk connector) to the Splunk host, open the port on which the Splunk host is listening.
- If Splunk is deployed in your on-premises environment: Deploy the BMC Helix Intelligent Integrations Gateway. For instructions, see Deploying-the-BMC-Helix-Intelligent-Integrations-Gateway.
To configure a connection with Splunk Enterprise
- Log on to BMC Helix Portal, and click Launch on BMC Helix Intelligent Integrations.
- On the CONNECTORS tab, click
in the SOURCES panel. Click the
Splunk
tile.
- Specify the following details for the source connection:
- Specify the Splunk host name.
- Specify the Splunk HTTP or HTTPS port number depending on the connection protocol. The default port number is 8089.
- Select the HTTPS option to use an https connection to the Splunk host.
- Enter the user name and password for the Splunk host.
- Click VALIDATE AND CREATE.
The specified connection details are validated and the corresponding source connection is created in the Source Connection list. Select the source connection that you created from the Source Connection list if it is not selected already.
- Clear the option for the data type for which you don't want to collect data. By default, all the options are selected.
Configure the collectors for the selected data types by clicking the respective data type in the Collectors section. Specify the parameters for the selected data type, as explained in the following table:
Note: The ✅️ symbol indicates that this field is applicable to the data type and ❌️ indicates that this field is not applicable to the data type.- Click CREATE COLLECTORS to create the required collector streams for the selected data types.
- Configure the distributors for the selected data types by clicking the respective data type in the Distributors section. Specify the parameters for the selected data type, as explained in the following table:
- Click CREATE DISTRIBUTORS to create the required distributor streams for the selected data types.
- Click one of the following buttons:
- SAVE STREAM : Click this button if you want to edit the integration details before creating the instance. After you save the stream, the connector that you just created is listed in the SOURCES panel. Move the slider to the right to start the data stream.
- SAVE AND START STREAM : Click this button if you want to save the integration details and start receiving data immediately.
For more information about the data streams, see Starting-or-stopping-data-streams.
To verify the connection
From BMC Helix Intelligent Integrations , on the SOURCES panel, confirm that the data streams for the connection you created are running. Data streaming is indicated by moving colored arrows.
- A moving blue arrow (
) indicates that event data is being streamed. - A moving red arrow (
) indicates that metric data is being streamed.
To view data in BMC Helix applications
View data collected from Splunk in multiple BMC Helix applications.
To view events in BMC Helix Operations Management
- In BMC Helix Operations Management, select Monitoring > Events.
- Filter the events by the SplunkEvent class.
Incoming events from Splunk are processed in BMC Helix Operations Management through a set of deduplication rules to determine whether the incoming event is a duplicate event or a new event. For more information, see Event-deduplication-and-suppression-for-reducing-event-noise.
For more information about events, see Monitoring and managing events.
To view metrics in BMC Helix Operations Management
- In BMC Helix Operations Management, select Monitoring > Devices.
- Click the links for the required device.
- On the Monitors tab, click the required monitor.
The Performance Overview tab shows the metrics graph.
For information about metrics, see Viewing collected data.
To view Situations in BMC Helix AIOps
Before you begin
- Ensure that CIs are present in BMC Helix Discovery orBMC Helix AIOps for the events that are being collected from the Splunk report.
- Create a Business Service model in one of the following applications:
BMC Helix Discovery. For more information, see Creating a model.
BMC Helix AIOps. For more information, see Modeling services.
- Ensure that you have performed one of the following tasks:
To view ML-based situations, the AIOps Situations feature is enabled in BMC Helix AIOps. For more information, see Enabling the AIOps features.
To view policy-based situations, the correlation policy is created in BMC Helix Operations Management. For more information, see Creating and enabling event policies.
To view Situations
- In BMC Helix AIOps , go to the Situations page.
This page shows the Situation created from the events that are ingested into BMC Helix Operations Management. - Click the required Situation to view the messages contained in the Situation and other details such as priority and severity of the message.
The following figure shows a sample Situation created from three events:
For information about Situations, see Monitoring situations.
Mapping between Splunk and BMC Helix Operations Management
The following table shows the mapping between Splunk and BMC Helix Operations Management:
Event attribute | Splunk | BMC Helix Operations Management |
|---|---|---|
Status | ||
Created | Open | |
Closed | Closed | |
In Progress | Open | |
Confirmed | Open | |
Any other status | Open | |
Severity | ||
Ok | Ok | |
Critical | Critical | |
Minor | Minor | |
Major | Major | |
Warning | Warning | |
Unknown | Unknown | |
Title | ||
Title | Message |