Integrating with Splunk Enterprise

As a tenant administrator, perform the following steps to configure a connection with Splunk Enterprise , verify the connection, and view the collected event and metric data in various BMC Helix applications.

Watch the following video (10:25) to learn how to collect events and metrics data from Splunk Enterprise and view the collected data in BMC Helix Operations Management.

https://youtu.be/ixjY99sayfY

Supported versions

This connector supports the following versions of Splunk Enterprise for data collection:

• 8. x
• 9. x

Planning for the connection

Review the following prerequisites to help you plan and configure a connection with Splunk Enterprise.

Splunk Enterprise prerequisites

• This connector collects data from Splunk Enterprise reports. A Splunk Enterprise report contains events and metrics information. Ensure that the Splunk Enterprise user account that you plan to use when configuring the Splunk Enterprise connector has access to the required Splunk Enterprise report.

• Ensure that the Splunk Enterprise  report from which you want to collect data is part of the Search & Reporting application (Search app). For details, see the Search app in the Splunk Enterprise documentation.For example, the following figure shows the Splunk_II_Events report, which is part of the Search app. This report contains events from a third-party product. 

    
  

• To display meaningful data in BMC Helix Operations Management from a Splunk Enterprise report containing events from a third-party product, the report should meet the following criteria:
  • The report must have fields that contain the following type of information:
    • Event ID: An identifier that can be concatenated with other fields in the report to get a unique identifier. For example, you can concatenate this identifier with issue, and differentiate events that differ only by status.
    • Title: The event’s title snippet. for example, High CPU alert .

    • Severity: The event severity.

      Important

      If severity is represented by numeric values in Splunk Enterprise (for example, 1, 2), convert the values to a string format with the following possible values for ingestion into BMC Helix Operations Management:
      

      • Ok
      • Critical
      • Minor 
      • Major
      • Minor
      • Warning
      • Unknown

      For information about conversion, see Comparison and Conditional functions in the Splunk Enterprise documentation.

      
      

    • Status: The event status.
      

      Important

      If status is represented by numeric values in Splunk Enterprise (for example, 1, 2), convert values to a string format with the following possible values for ingestion into BMC Helix Operations Management :

      • Created
      • Closed

      For information about conversion, see Comparison and Conditional functions in the Splunk Enterprise documentation.

    • Host: The host where the issue was observed. If the report does not contain this field, the Host field in BMC Helix Operations Management is derived from the Splunk host name for which the event report is being processed.
  • In addition, the report can have other, optional fields containing the following type of information such as:

• • • Category: Indicates the event category.
    • Subcategory: Indicates the event subcategory.
    • Origin URI: Indicates the origin of the event.
      For example, the following sample report (Splunk_II_Events) contains the following fields: EventId, Severity, Summary, and Type.
      

• 
  

  • The Splunk Enterprise fields from which you want to collect data and map to BMC Helix Intelligent Integrations while configuring the connector must appear under Selected Fields. For example, if you want to map EventId, Severity, or Type fields, these fields must appear under Selected Fields.

       
    For more information, see Selected Fields in the Splunk Enterprise documentation.

• To display meaningful data in BMC Helix Operations Management from a Splunk Enterprise report containing metrics from a third-party product, the report should meet the following criteria:
  • The report must contain the following type of information:
    
    • timestamp

    • metrics
      For example, the following sample report (Messages by minute last 3 hours) contains the following columns: _time, /opt/splunk/var/log/introspection/resource usage.log, and so on.

      Important

      This report is only a sample. You can have as many metric columns as required in your report. You can name these columns according to your requirements.

       

  • The report fields containing metrics must have a numeric datatype.
  • host: The host for which metrics were collected. If the report does not contain this field, the device name in BMC Helix Operations Management is derived from the Splunk host name for which the metric report is being processed.

BMC Helix Intelligent Integrations prerequisites

• Depending on the location (SaaS, on-premises) of the third-party product, choose one or more BMC Helix Intelligent Integrations deployment modes and review the corresponding port requirements. For information about various deployment modes and port requirements, see Deployment-scenarios.
• Based on the deployment modes, use the BMC Helix Intelligent Integrations SaaS deployment or the BMC Helix Intelligent Integrations on-premises gateway or both. For more information about the gateway, see Deploying-the-BMC-Helix-Intelligent-Integrations-on-premises-gateway.

• The on-premises gateway must be able to reach the third-party product on the required port (default is 8089).

In the preceding list, third-party product refers to Splunk. 

Configuring the connection with Splunk Enterprise

1. Access BMC Helix Intelligent Integrations:
   • BMC Helix Intelligent Integrations SaaS – Log on to BMC Helix Portal, and click Launch on BMC Helix Intelligent Integrations.
   • BMC Helix Intelligent Integrationson-premises gateway – Use one of the following URLs to access BMC Helix Intelligent Integrations:
     • http://<hostName>:<portNumber>/swpui
     • https://<hostName>:<portNumber>/swpui
2. On the CONNECTORS tab, click in the SOURCES panel.

3. Click the 

   Splunk

    Enterprise tile.

4. Specify the following details for the source connection:

   1. Specify a unique instance name.

      Best practice
      We recommend that you specify the instance name in the following format: 

      <sourceType>_<sourceControllerServerName>_<InstanceQualifier>

      The instance qualifier helps you to distinguish the multiple instances configured from the same source server. For example, you can name your instances as Splunk_Host_PROD, Splunk_Host_TEST, and so on.

   2. Specify the Splunk Enterprise host name.
   3. Specify the Splunk HTTP or HTTPS port number depending on the connection protocol (default port number is 8089).
   4. Select the HTTPS option to use an https connection to the Splunk Enterprise host.
   5. Enter the user name and password for the Splunk Enterprise host.
5. Click VALIDATE AND CREATE.
   The specified connection details are validated and the corresponding source connection is created in the Source Connection list.

6. Select the source connection that you created from the list if it is not selected already.

   Important

   The destination host connection is created and configured automatically when the source connection is created.

7. Ensure that the options for the datatypes for which you want to collect data are selected.

8. Configure the collectors for the selected data types by clicking the respective data type in the Collectors section. Specify the parameters for the selected data type, as explained in the following table:
   
   Note: The ✅️  symbol indicates that this field is applicable to the data type.
   
9. Click CREATE COLLECTORS to create the required collector streams for the selected data types.
10. Configure the distributors for the selected data types by clicking the respective data type in the Distributors section.
    Specify the parameters for the selected data type, as explained in the following table:
    

1. Click CREATE DISTRIBUTORS to create the required distributor streams for the selected data types.
2. Click one of the following buttons:

1. • SAVE STREAM : Click this button if you want to edit the integration details before creating the instance. After you save the stream, the connector that you just created is listed in the SOURCES panel. Move the slider to the right to start the data stream.
   • SAVE AND START STREAM : Click this button if you want to save the integration details and start receiving data immediately.

          For more information about the data streams, see Starting-or-stopping-data-streams.

Verifying the connection

From BMC Helix Intelligent Integrations , on the SOURCES panel, confirm that the data streams for the connection you created are running. Data streaming is indicated by moving colored arrows.

• A moving blue arrow ( ) indicates that the event stream is running. Event data will be pushed according to the configured Collection Schedule interval.
• A moving red arrow ( ) indicates that the metric stream is running. Metric data will be pushed according to the configured Collection Schedule interval.

Viewing data in BMC Helix applications

View data collected from Splunk Enterprise in multiple BMC Helix applications.

To view events in BMC Helix Operations Management

1. In BMC Helix Operations Management, select Monitoring > Events.
2. Filter the events by the SplunkEvent class.
   

Incoming events from Splunk Enterprise are processed in BMC Helix Operations Management through a set of deduplication rules to determine whether the incoming event is a duplicate event or a new event. For more information, see Event-deduplication-suppression-and-closure-for-reducing-event-noise.

For more information about events, see Monitoring and managing events.

To view metrics in BMC Helix Operations Management

1. In BMC Helix Operations Management, select Monitoring > Devices.
2. Click the links for the required device.
3. On the Monitors tab, click the required monitor.
   The Performance Overview tab shows the metrics graph. 
   
   
   
   

For information about metrics, see Viewing collected data.

Viewing Situations in BMC Helix AIOps

Before you view situations in BMC Helix AIOps, ensure that the following prerequisites are met: 

1. CIs are present in BMC Helix Discovery or BMC Helix AIOps for the events that are being collected from the Splunk Enterprise report.
2. Create a Business Service model in one of the following applications:

   • BMC Helix Discovery. For more information, see Creating a model.

   • BMC Helix AIOps. For more information, see Modeling services. 

3. Perform one of the following tasks:

   • To view ML-based situations, the AIOps Situations feature is enabled in BMC Helix AIOps. For more information, see Enabling the AIOps features.

   • To view policy-based situations, the correlation policy is created in BMC Helix Operations Management. For more information, see Creating and enabling event policies.

To view Situations

1. In BMC Helix AIOps , go to the Situations page.
   This page shows the Situations created from the events that are ingested into BMC Helix Operations Management . 
2. Click the required Situation to view the messages contained in the Situation and other details such as priority and severity of the message. 
   The following figure shows a sample Situation created from three events:
   

For information about Situations, see Monitoring situations.

Mapping between Splunk Enterprise and BMC Helix Operations Management

The following table shows the mapping between Splunk Enterprise and BMC Helix Operations Management: