Integrating with Splunk Enterprise

Splunk provides the ability to search, analyze and visualize the data collected from various IT infrastructures and business applications. 

Configure an integration with Splunk, to view the event and metric data from Splunk

in the following products and derive actionable insights:

• BMC Helix Operations Management
• BMC Helix AIOps

As a tenant administrator, perform the following steps to integrate with Splunk, verify the integration, and view the collected event and metric data in various BMC products.

Before you begin

1. Have the egress IP of your tenant. Request the egress IP from BMC Software if you don't already have it.
2. Ensure that you have a firewall rule to allow traffic from the egress IP to the Splunk host on the listening port (default is 8089).

To integrate with Splunk Enterprise

1. Log on to BMC Helix Portal, and click Launch on BMC Helix Intelligent Integrations.

2. On the CONNECTORS tab, click in the SOURCES panel.
3. Click the Splunk tile.
4. Specify the following details for the source connection:
   1. Specify the Splunk host name.
   2. Specify the Splunk HTTP or HTTPS port number depending on the connection protocol. The default port number is 8089.
   3. Select the HTTPS option to use an https connection to the Splunk host.
   4. Enter the username and password.
5. Click VALIDATE AND CREATE.
   The specified connection details are validated and the corresponding source connection is created in the Source Connection list.

6. Select the source connection that you created from the Source Connection list if it is not selected already.
   

   Important

   The destination host connection is created and configured automatically for each tenant when the source connection is created.

   
   

7. Clear the option for the data type for which you don't want to collect data. By default, all the options are selected.

8. Configure the collectors for the selected data types by clicking the respective data type in the Collectors section. Specify the parameters for the selected data type, as explained in the following table:

   Parameter Name	Data Type
   	Splunk Events	Splunk Metrics
   Collection Schedule Specify the data collection frequency in minutes.	Applicable BMC recommendation: 5 minutes	Applicable BMC recommendation: 5 minutes
   Data Collection Window Specify the historical period (in minutes) from the current time during which the data should be collected from Splunk.	Applicable BMC recommendation: 5 minutes	Applicable BMC recommendation: 5 minutes
   Data Latency Specify the time (in minutes) for which the data time window should be placed far back on the timeline.	Applicable	Applicable
   Saved Search Name Select All or a subset of reports, which are results saved from a search action that can show statistics and visualizations of events. This list of reports is updated automatically from Splunk.	Applicable	Applicable
   Important (Applicable for the parameters listed below): The Splunk field which you want to map to a field in BMC Helix Intelligent Integrations appears in the list only when that field is present in the Splunk report and appears in the SELECTED FIELDS list on the Splunk UI.
   Severity Field Name Select the field to which you want to map the severity field from the report.  This list of fields is updated automatically from Splunk.	Applicable	Not applicable
   Status Field Name Select the field to which you want to map the status field from the report.  This list of fields is updated automatically from Splunk.	Applicable	Not applicable
   Event ID Field Name Select the field to which you want to map the eventId field from the report.  This list of fields is updated automatically from Splunk.	Applicable	Not applicable
   Title Field Name Select the field to which you want to map the title field from the report.  This list of fields is updated automatically from Splunk.	Applicable	Not applicable
   Description Field Name Select the field to which you want to map the description field from the report.  This list of fields is updated automatically from Splunk.	Applicable	Not applicable
   Category Field Name Select the field to which you want to map the category field from the report.  This list of fields is updated automatically from Splunk.	Applicable	Not applicable
   Subcategory Field Name Select the field to which you want to map the subCategory field from the report.  This list of fields is updated automatically from Splunk.	Applicable	Not applicable
   Origin URI Field Name Select the field to which you want to map the originURI field from the report.  This list of fields is updated automatically from Splunk.	Applicable	Not applicable
   Advanced
   Maximum results per page Specify the maximum number of results that should be displayed per page. The default value is 10000.	Applicable	Not applicable
   Results Timeout Specify the time, in minutes, after which no result should be displayed. The default value is 1 minute.	Applicable	Not applicable
   Field Name Select the field which you want to map from the report.	Not applicable	Applicable
   Metric Name Select the field to which you want to map the field selected in Field Name.	Not applicable	Applicable

9. Click CREATE COLLECTORS to create the required collector streams for the selected data types.

10. Configure the distributors for the selected data types by clicking the respective data type in the Distributors section. Specify the parameters for the selected data type, as explained in the following table:
    

    Parameter Name	Default
    Max Batching Size Specify the maximum number of data items to send in a single POST request to the destination API. The batch size depends on the destination’s ability to buffer the incoming data.	250
    Max Batching Delay Specify the maximum time (in seconds) to wait before building a batch and processing.	3 seconds
    Base Retry Delay Specify the initial time (in seconds) for which to wait before retrying to build a batch and processing. The waiting time increases in the following sequence: n1, n2, n3, and so on, where n indicates the number of seconds. For example, if you set the value to 2 seconds, retry is performed after 2, 4, 8, 16, ... seconds.	2 seconds
    Max Intra-Retry Delay Specify the maximum limit for the base retry delay. For example, if you set the value of this parameter to 60 seconds and the value of the Base Retry Delay parameter to 2 seconds, retries would be performed 2, 4, 8, 16, 32, 64, 64,...seconds later again.	60 seconds
    Max Retry Duration Specify the total time for retrying a delivery. For REST destinations, a delivery is a batch of data items in one POST request.  For example, if you set the value of this parameter to 8 hours, and the value of the Base Retry Delay parameter to 2 seconds, requests are sent for 2+4+8+16+32+64+132... until 8 hours in total duration is reached. After that, no subsequent attempts are made to retry the delivery. The assumption here is that if there is an outage or other issue with the destination tool, recovery should take less than the value of the Max Retry Duration parameter to complete.	5 minutes

    
    
11. Click CREATE DISTRIBUTORS to create the required distributor streams for the selected data types.
12. Click one of the following buttons:
    
    • SAVE STREAM: Click this button if you want to edit the integration details before creating the instance. After you save the stream, the connector that you just created is listed in the SOURCES panel. Move the slider to the right to start the data stream.
    • SAVE AND START STREAM: Click this button if you want to save the integration details and start receiving the data immediately.

          For more information about the data streams, see Starting or stopping data streams.

To verify the integration

From BMC Helix Intelligent Integrations, on the SOURCES panel, confirm that the data streams for the integration you created are running. Data streaming is indicated by moving colored arrows.

• A moving blue arrow () indicates that event data is being streamed. 
• A moving red arrow () indicates that metric data is being streamed.

To view events in BMC Helix Operations Management

From BMC Helix Operations Management, go to Monitoring > Events to ensure that you can see the events in BMC Helix Operations Management.
For more information, see  Event monitoring .

To view metrics in BMC Helix Operations Management

1. In BMC Helix Operations Management, select Monitoring > Devices.
2. Click the links for the required device.
3. On the Monitors tab, click the required monitor.
   The Performance Overview tab shows the metrics graph. For information about metrics, see Viewing collected data .

To view situations in BMC Helix AIOps

In BMC Helix AIOps, on the Overview page, view the services and situations for the event and topology data received from Splunk.