Integrating with Splunk Enterprise via webhook

Splunk Enterprise is a big data platform that simplifies the task of collecting and managing massive volumes of machine-generated data and searching for information within it. The technology is used for business and web analytics, application management, compliance, and security.

Splunk uses webhook to push real-time alerts about problems detected in the environment. Whenever Splunk detects a problem, BMC Helix Intelligent Integrations WebSocket receives an alert. BMC Helix Intelligent Integrations invokes the Splunk REST API and processes alerts from a saved search alert. The BMC Helix Intelligent IntegrationsSplunk Enterprise connector collects events from Splunk by using the webhook mechanism.

As a tenant administrator, it's important that you can monitor the connected systems and quickly identify and resolve any issues. 

Related topics

Editing-and-deleting-integrations

Monitoring-the-on-premises-gateway-node-for-streaming-interruptions-and-node-health

You can view the collected events in BMC Helix Operations Management and derive the following benefits:

BMC Helix application

Type of data collected or viewed

Benefits

BMC Helix Operations Management

Events

Use a centralized event view to monitor, filter, and manage events, and perform event operations in one place. 

Process events to help identify actionable events quickly from a large volume of event data.

For more information, see Monitoring events and reducing event noise

As a tenant administrator, perform the following steps to configure a connection with Splunk Enterprise via webhook, verify the connection, and view the collected data in various BMC Helix applications.

ConnectorSteps.png

Supported versions

BMC Helix Intelligent Integrations supports the following version of Splunk for data collection:

  • Splunk Cloud Platform
  • Splunk Enterprise 9.0.5

Task 1: To plan for the connection

Review the following prerequisites to help you plan and configure a connection with Splunk Enterprise.

Splunk Enterprise prerequisites

  • This connector collects data from Splunk Enterprise alerts. A Splunk Enterprise alert contains information about events. Ensure that the Splunk Enterprise user account that you plan to use when you configure the Splunk Webhook connector has permission to query the required Splunk Enterprise saved search alert report.

  • Ensure that the Splunk Enterprise alert from which you want to collect data is part of the Search & Reporting application (Search app). For details, see the Search app in the Splunk Enterprise documentation..For example, the following figure shows the Splunk_II_Alerts alert, which is part of the Search app. It contains events from a third-party product.
    Splunk_Alerts1.png

  • To display meaningful data in BMC Helix Operations Management from a Splunk Enterprise alert containing events from a third-party product, the alert should meet the following criteria:
    • The alert must have fields that contain the following type of information:


      • Event ID: An identifier that can be concatenated with other fields in the report to get a unique identifier. For example, you can concatenate this identifier with issue, and differentiate events that differ only by status.

      • Severity: The event severity.

        Important

        If severity is represented by numeric values in Splunk Enterprise (for example, 1, 2), convert the values to a string format with the following possible values for ingestion into BMC Helix Operations Management:

        • Ok
        • Critical 
        • Major
        • Minor
        • Warning
        • Unknown

        For information about conversion, see Comparison and Conditional functions in the Splunk Enterprise documentation.

      • Status: The event status.

        Important

        If status is represented by numeric values in Splunk Event Webhook (for example, 1, 2), convert values to a string format with the following possible values for ingestion into BMC Helix Operations Management:

        • Created
        • Closed

        For information about conversion, see Comparison and Conditional functions in the Splunk Enterprise documentation.

      • Configuration ID
      • Configuration Item type

BMC Helix Intelligent Integrations prerequisites

  • Depending on the location of the third-party product (SaaS, on-premises), choose one or more BMC Helix Intelligent Integrations deployment modes and review the corresponding port requirements. For information about various deployment modes and port requirements, see Deployment-scenarios.
  • Based on the deployment mode, use the BMC Helix Intelligent Integrations SaaS deployment or the BMC Helix Intelligent Integrations on-premises gateway or both. For more information about the gateway, see Deploying-the-BMC-Helix-Intelligent-Integrations-on-premises-gateway.

In the preceding list, third-party product refers to Splunk.


Task 2: To configure the connection with Splunk Enterprise

  1. Depending on the deployment mode, perform one of the following steps to access BMC Helix Intelligent Integrations:
    • BMC Helix Intelligent Integrations SaaS – Log on to BMC Helix Portal, and click Launch on BMC Helix Intelligent Integrations.
    • BMC Helix Intelligent Integrationson-premises gateway – Use the following URL to access BMC Helix Intelligent Integrations:
      https://<hostName>:<portNumber>/swpui
  2. On the CONNECTORS tab, click add_icon.pngin the SOURCES panel.
  3. Click the Splunk Events Webhook tile.
  4. Specify the following details for the source connection:

    1. Specify a unique instance name.

      Best practice
      We recommend that you specify the instance name in the following format: 

      <sourceType>_<sourceControllerServerName>_<InstanceQualifier>

      The instance qualifier helps you distinguish the multiple instances configured from the same source server. For example, you can name your instances Splunk_Host_PROD, Splunk_Host_TEST, and so on.


    2. Specify the Splunk host name.
    3. Specify the Splunk HTTP or HTTPS port number depending on the connection protocol (default port number is 8089).
    4. Select the HTTPS option to use an https connection to the Splunk host.
    5. Enter the user name and password for the Splunk host.
  5. Click VALIDATE AND CREATE.

  6. Select the source connection that you created from the list if it is not selected already.

    Important

    The destination host connection is created and configured automatically when the source connection is created.

  7. Configure the collector for the selected data type by clicking the data type in the Collectors section and specifying the parameters for the selected data type, as explained in the following table:

    The [confluence_table-plus] macro is a standalone macro and it cannot be used inline. Click on this message for details.

  8. Click CREATE COLLECTORS to create the required collector stream for the selected data type.
  9. Configure the distributors for the selected data type by clicking the data type in the Distributors section and specifying the parameters for the selected data type, as explained in the following table:
    Parameter name
    Description
    Max Batching Size
    Specify the maximum number of data items to send in a single POST request to the destination API.
    The batch size     depends on the destination’s ability to buffer the incoming data.Default: 250
    Max Batching Delay
    Specify the maximum time (in seconds) to wait before building and processing a batch.Default: 3 seconds 
    Base Retry Delay
    Specify the initial time (in seconds) for which to wait before retrying to build and process a batch.
    The waiting time increases in the following sequence: n1, n2, n3, and so on, where n indicates the number of seconds.Default: 2 secondsExample:Base Retry Delay is set to 2 seconds.Retry is performed after 2, 4, 8, 16, ... seconds.
    Max Intra-Retry Delay
    Specify the maximum limit for the base retry delay. Default: 60 secondsExample:Max Intra-Retry Delay is set to 60 seconds.
    Base Retry Delay is set to 2 seconds.Retries are performed 2, 4, 8, 16, 32,... seconds later.
    Max Retry Duration
    Specify the total time for retrying a delivery. For REST destinations, a delivery is a batch of data items in one POST request. Default: 5 minutesExample:Max Retry Duration is set to 8 hours.
    Base Retry Delay is set to 2 seconds.Requests are sent for 2+4+8+16+32+64+132... until 8 hours in total duration is reached. After that, no subsequent attempts are made to retry the delivery.The assumption here is that if there is an outage or other issue with the destination tool, recovery should take less than the value of the Max Retry Duration parameter to be completed.
    Attributes To Be Dropped When Updating Events
    Specify the event attributes that you do not want to be updated in BMC Helix Operations Managementwhen events are updated. For example, if you do not want an event's severity, source address, source category, and subcategory to be updated in BMC Helix Operations Management , you need to specify those attributes in a comma-separated format: severity,source_address,source_category,source_subcategory .Important:You can obtain the event attribute names in BMC Helix Operations Management, by exporting any event data in JSON, BAROC, XML, or CSV format . The exported file contains all attributes of the event data, and from there you can identify the attributes to be dropped. 
  1. Click CREATE DISTRIBUTORS to create the required distributor stream for the selected data type.
  2. Click VALIDATE AND CREATE and then click SAVE STREAM to save the stream.
    After you save the stream, the connector that you just created is listed on the SOURCES panel.
  1. On the SOURCES panel, click Configure Mediator ConfigureMediator_icon.pngfor the source connection that you created and then expand SPLUNK EVENTS WEBHOOK.
  2. Click copy copy_URL.pngto copy the auto-generated Entuity webhook collector URL and save it in a temporary file.
    For example, https://hostA/hii/api/mediator/v3/push/9mn-6c97-4c2e-8pc5-12c0asdf?token=API-KEY.
  3. Depending on whether you are using only a SaaS deployment of BMC Helix Intelligent Integrations or BMC Helix Intelligent Integrations on-premises gateway, perform the following steps:
    • If you are using only SaaS deployment of BMC Helix Intelligent Integrations or the on-premises gateway with authentication enabled, perform the following steps:

      1. Log on to BMC Helix Portal and generate an access key.
        For instructions, see Setting up access keys for programmatic access.

      2. Copy the generated access key and save it in a temporary file.
        The key is generated in the format: <accessKey>::<secretKey>::<tenantID>.
        For example, Y40OSC49QZA11Q8A1H9H6::MnVLk69TNyCEponsthHJ1Hj1uKcjTB::385261281
      3. Change the format of the access key to <tenantID>::<accessKey>::<secretKey>.
        For example, 385261281::Y40OSC49QZA11Q8A1H9H6::MnVLk69TNyCEponsthHJ1Hj1uKcjTB
      4. In a temporary file, modify the auto-generated collector URL by replacing API-KEY with the access key that you formatted in the previous step.
        For example, https://host.ab.com/hii/api/mediator/v3/push/9mn-6c97-4c2e-8pc5-12c0asdfd?token=385261281::Y40OSC49QZA11Q8A1H9H6::MnVLk69TNyCEponsthHJ1Hj1uKcjTB.
      5. Configure Splunk to forward incidents data to BMC Helix Intelligent Integrations.
    • If you are using the on-premises gateway with authentication disabled, perform the following steps:
      1. Save the URL in a temporary file.
      2. Remove the following string from the collector URL:?token=API-KEY
        The updated collector URL looks like the following example:
        https://hostA/hii/api/mediator/v3/push/9mn-6c97-4c2e-8pc5-12c0asdf
      3. Configure Splunk to forward incidents data to BMC Helix Intelligent Integrations.
  4. On the SOURCES panel, move the slider to the right to start the event stream for the connector.
    ImportantFor a data stream, the Run Latency (max/avg), Items (Avg per Run), and Last Run Status columns on the Streams page might show the status as No Runs during the data collection process. After completion of the process, these columns are updated with an appropriate status.


Task 3: To configure Splunk Enterprise to forward events data to BMC Helix Intelligent Integrations

  1. Log on to Splunk Enterprise.
  1. On the Alerts tab, select Edit > Edit Alerts for the alerts that you want to configure.
  2. Depending on whether you are using only SaaS deployment of BMC Helix Intelligent Integrations or the on-premises gateway, in the Trigger Actions section, copy the collector URL that you modified in step 13 and paste it as the default value of the parameter, enclosed in double quotes.
  3. Click Save to save the alert.
  4. Select Edit > Enable, and then click Enable to enable the alert that you have edited.
  5. Go to step 14 to start the event stream.


Task 4: To verify the connection

From BMC Helix Intelligent Integrations, on the SOURCES panel, confirm that the event stream for the connection you created is running. 

SplunkWebhook_EventsStream_243.png

A moving blue arrow (EventsStream_Icon.png) indicates that the event stream is running. Event data will be pushed as soon as events are available.

To view events in BMC Helix Operations Management

  1. In BMC Helix Operations Management, select Monitoring > Events.
  2. Filter the events by the SplunkEvent class.
    SplunkEvents.png

Incoming events from Splunk are processed in BMC Helix Operations Management through a set of deduplication rules to determine whether the incoming event is a duplicate event or a new event. For more information, see Event-deduplication-suppression-and-closure-for-reducing-event-noise.

For more information about events, see Monitoring and managing events.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*