Integrating with Splunk Enterprise via webhook

Splunk Enterprise is a big data platform that simplifies the task of collecting and managing massive volumes of machine-generated data and searching for information within it. The technology is used for business and web analytics, application management, compliance, and security.

Splunk uses webhook to push real-time alerts about problems detected in the environment. Whenever Splunk detects a problem, BMC Helix Intelligent Integrations WebSocket receives an alert. BMC Helix Intelligent Integrations invokes the Splunk REST API and processes alerts from a saved search alert. The BMC Helix Intelligent IntegrationsSplunk Enterprise connector collects events from Splunk by using the webhook mechanism.

As a tenant administrator, it's important that you can monitor the connected systems and quickly identify and resolve any issues. 

Related topics

Editing-and-deleting-integrations

Monitoring-the-on-premises-gateway-node-for-streaming-interruptions-and-node-health

You can view the collected events in BMC Helix Operations Management and derive the following benefits:

BMC Helix application

Type of data collected or viewed

Benefits

BMC Helix Operations Management

Events

Use a centralized event view to monitor, filter, and manage events, and perform event operations in one place. 

Process events to help identify actionable events quickly from a large volume of event data.

For more information, see Monitoring events and reducing event noise

As a tenant administrator, perform the following steps to configure a connection with Splunk Enterprise via webhook, verify the connection, and view the collected data in various BMC Helix applications.

ConnectorSteps.png


Supported versions

BMC Helix Intelligent Integrations supports version 9.0.5 of Splunk Enterprise for data collection.

Task 1: To plan for the connection

Review the following prerequisites to help you plan and configure a connection with Splunk Enterprise.

Splunk Enterprise prerequisites

  • This connector collects data from Splunk Enterprise alerts. A Splunk Enterprise alert contains information about events. Ensure that the Splunk Enterprise user account that you plan to use when you configure the Splunk Webhook connector has permission to query the required Splunk Enterprise saved search alert report.

  • Ensure that the Splunk Enterprise alert from which you want to collect data is part of the Search & Reporting application (Search app). For details, see the Search app in the Splunk Enterprise documentation..For example, the following figure shows the Splunk_II_Alerts alert, which is part of the Search app. It contains events from a third-party product.
    Splunk_Alerts1.png

  • To display meaningful data in BMC Helix Operations Management from a Splunk Enterprise alert containing events from a third-party product, the alert should meet the following criteria:
    • The alert must have fields that contain the following type of information:


      • Event ID: An identifier that can be concatenated with other fields in the report to get a unique identifier. For example, you can concatenate this identifier with issue, and differentiate events that differ only by status.

      • Severity: The event severity.

        Important

        If severity is represented by numeric values in Splunk Enterprise (for example, 1, 2), convert the values to a string format with the following possible values for ingestion into BMC Helix Operations Management:

        • Ok
        • Critical 
        • Major
        • Minor
        • Warning
        • Unknown

        For information about conversion, see Comparison and Conditional functions in the Splunk Enterprise documentation.

      • Status: The event status.

        Important

        If status is represented by numeric values in Splunk Event Webhook (for example, 1, 2), convert values to a string format with the following possible values for ingestion into BMC Helix Operations Management:

        • Created
        • Closed

        For information about conversion, see Comparison and Conditional functions in the Splunk Enterprise documentation.

      • Configuration ID
      • Configuration Item type

BMC Helix Intelligent Integrations prerequisites

  • Depending on the location of the third-party product (SaaS, on-premises), choose one or more BMC Helix Intelligent Integrations deployment modes and review the corresponding port requirements. For information about various deployment modes and port requirements, see Deployment-scenarios.
  • Based on the deployment modes, use the BMC Helix Intelligent Integrations SaaS deployment or the BMC Helix Intelligent Integrations on-premises gateway or both. For more information about the gateway, see Deploying-the-BMC-Helix-Intelligent-Integrations-on-premises-gateway.

In the preceding list, third-party product refers to Splunk.


Task 2: To configure the connection with Splunk Enterprise

  1. Access BMC Helix Intelligent Integrations:
    • BMC Helix Intelligent Integrations SaaS – Log on to BMC Helix Portal, and click Launch on BMC Helix Intelligent Integrations.
    • BMC Helix Intelligent Integrationson-premises gateway – Use the following URL to access BMC Helix Intelligent Integrations:
      https://<hostName>:<portNumber>/swpui
  2. On the CONNECTORS tab, click add_icon.pngin the SOURCES panel.
  3. Click the Splunk Events Webhook tile.
  4. Specify the following details for the source connection:

    1. Specify a unique instance name.

      Best practice
      We recommend that you specify the instance name in the following format: 

      <sourceType>_<sourceControllerServerName>_<InstanceQualifier>

      The instance qualifier helps you distinguish the multiple instances configured from the same source server. For example, you can name your instances Splunk_Host_PROD, Splunk_Host_TEST, and so on.


    2. Specify the Splunk host name.
    3. Specify the Splunk HTTP or HTTPS port number depending on the connection protocol (default port number is 8089).
    4. Select the HTTPS option to use an https connection to the Splunk host.
    5. Enter the user name and password for the Splunk host.
  5. Click VALIDATE AND CREATE.

  6. Select the source connection that you created from the list if it is not selected already.

    Important

    The destination host connection is created and configured automatically when the source connection is created.

  7. Configure the collector for the selected data type by clicking the data type in the Collectors section and specifying the parameters for the selected data type, as explained in the following table:

    The [confluence_table-plus] macro is a standalone macro and it cannot be used inline. Click on this message for details.

  8. Click CREATE COLLECTORS to create the required collector stream for the selected data type.
  9. Configure the distributors for the selected data type by clicking the data type in the Distributors section and specifying the parameters for the selected data type, as explained in the following table:
    Parameter name
    Description
    Max Batching Size
    Specify the maximum number of data items to send in a single POST request to the destination API.
    The batch size     depends on the destination’s ability to buffer the incoming data.Default: 250
    Max Batching Delay
    Specify the maximum time (in seconds) to wait before building and processing a batch.Default: 3 seconds 
    Base Retry Delay
    Specify the initial time (in seconds) for which to wait before retrying to build and process a batch.
    The waiting time increases in the following sequence: n1, n2, n3, and so on, where n indicates the number of seconds.Default: 2 secondsExample:Base Retry Delay is set to 2 seconds.Retry is performed after 2, 4, 8, 16, ... seconds.
    Max Intra-Retry Delay
    Specify the maximum limit for the base retry delay. Default: 60 secondsExample:Max Intra-Retry Delay is set to 60 seconds.
    Base Retry Delay is set to 2 seconds.Retries are performed 2, 4, 8, 16, 32,... seconds later.
    Max Retry Duration
    Specify the total time for retrying a delivery. For REST destinations, a delivery is a batch of data items in one POST request. Default: 5 minutesExample:Max Retry Duration is set to 8 hours.
    Base Retry Delay is set to 2 seconds.Requests are sent for 2+4+8+16+32+64+132... until 8 hours in total duration is reached. After that, no subsequent attempts are made to retry the delivery.The assumption here is that if there is an outage or other issue with the destination tool, recovery should take less than the value of the Max Retry Duration parameter to be completed.
    Attributes To Be Dropped When Updating Events
    Specify the event attributes that you do not want to be updated in BMC Helix Operations Managementwhen events are updated. For example, if you do not want an event's severity, source address, source category, and subcategory to be updated in BMC Helix Operations Management , you need to specify those attributes in a comma-separated format: severity,source_address,source_category,source_subcategory .Important:You can obtain the event attribute names in BMC Helix Operations Management, by exporting any event data in JSON, BAROC, XML, or CSV format . The exported file contains all attributes of the event data, and from there you can identify the attributes to be dropped. 
  1. Click CREATE DISTRIBUTORS to create the required distributor stream for the selected data type.
  2. Click VALIDATE AND CREATE and then click SAVE STREAM to save the stream.
    After you save the stream, the connector that you just created is listed on the SOURCES panel.
  1. On the SOURCES panel, click Configure Mediator ConfigureMediator_icon.pngfor the source connection that you created and then expand SPLUNK EVENTS WEBHOOK.
  2. Depending on whether you are using only a SaaS deployment of BMC Helix Intelligent Integrations or BMC Helix Intelligent Integrations on-premises gateway, perform the following steps:
    • If you are using only SaaS deployment of BMC Helix Intelligent Integrations:
      1. Click copy copy_URL.pngto copy the auto-generated Splunk collector URL and save the URL in a temporary file.
        For example,         https://hostA/hii/api/mediator/v3/push/9mn-6c97?token=API-KEY


      1. Log on to BMC Helix Portal and generate an access key.
        For instructions, see Setting up access keys for programmatic access

      2. Copy the generated access key and save it in a temporary file.
        The key is generated in the format: <accessKey>::<secretKey>::<tenantID>.
        For example, Y40OSC49QZA11Q::MnVLk69TNyCE::385261281
      3. Change the format of the access key to <tenantID>::<accessKey>::<secretKey>.
        For example, 385261281::Y40OSC49QZA11Q::MnVLk69TNyCE
      4. In a temporary file, modify the auto-generated Splunk collector URL by replacing API-KEY with the access key that you formatted in the previous step.
        For example, https://hostA/hii/api/mediator/v3/push/9mn-6c97?token=385261281::Y40OSC49QZA11Q::MnVLk69TNyCE
      5. Configure Splunk to forward incidents data to BMC Helix Intelligent Integrations.

    • If you are using the BMC Helix Intelligent Integrationson-premises gateway:  
      1. Click copy copy_URL.pngto copy the auto-generated Splunk collector URL and save the URL in a temporary file.
        For example,         https://hostA/hii/api/mediator/v3/push/9mn-6c97
      2. Configure Splunk to forward incidents data to BMC Helix Intelligent Integrations.
  2. On the SOURCES panel, move the slider to the right to start the event stream for the connector.
    ImportantFor a data stream, the Run Latency (max/avg), Items (Avg per Run), and Last Run Status columns on the Streams page might show No Runs as the status during the data collection process. After completion of the process, these columns are updated with an appropriate status.


Task 3: To configure Splunk Enterprise to forward events data to BMC Helix Intelligent Integrations

  1. Log on to Splunk Enterprise.
  1. On the Alerts tab, select Edit > Edit Alerts for the alerts that you want to configure.
  2. In the Trigger Actions section, enter the Splunk collector URL that you saved in the temporary file.
  3. Click Save to save the alert.
  4. Select Edit > Enable, and then click Enable to enable the alert that you have edited.

After configuring Splunk Enterprise, go to step 14 of Task 2: Configure the connection with Splunk Enterprise.


Task 4: To verify the connection

From BMC Helix Intelligent Integrations, on the SOURCES panel, confirm that the event stream for the connection you created is running. 

SplunkWebhook_EventsStream_243.png

A moving blue arrow (EventsStream_Icon.png) indicates that the event stream is running. Event data will be pushed as soon as events are available.

To view events in BMC Helix Operations Management

  1. In BMC Helix Operations Management, select Monitoring > Events.
  2. Filter the events by the SplunkEvent class.
    SplunkEvents.png

Incoming events from Splunk are processed in BMC Helix Operations Management through a set of deduplication rules to determine whether the incoming event is a duplicate event or a new event. For more information, see Event-deduplication-suppression-and-closure-for-reducing-event-noise.

For more information about events, see Monitoring and managing events

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*