Integrating with Splunk Enterprise via API

Splunk is a big data platform that simplifies the task of collecting and managing massive volumes of machine-generated data and searching for information within it. The technology is used for business and web analytics, application management, compliance, and security.

As a tenant administrator, it's important that you can monitor the connected systems and quickly identify and resolve any issues. TheBMC Helix Intelligent Integrations Splunk connector uses Rest API to collect events and metrics data from Splunk.

BMC Helix application	Type of data collected or viewed	Benefits
BMC Helix Operations Management	Events	Use a centralized event view to monitor, filter, and manage events, and perform event operations in one place. Process events to help identify actionable events quickly from a large volume of event data. For more information, see Monitoring events and reducing event noise.
BMC Helix Operations Management	Metrics	Use alarm and variate policies to detect anomalies and eliminate false positives for more accurate results while monitoring the health of your system. For more information, see Detecting anomalies by using static and dynamic thresholds.
BMC Helix AIOps	Situations (created from events)	Improve the mean time to resolve (MTTR) based on the situation-driven workflow. Lower the mean time to detect or discover (MTTD) and the time required for investigating tickets. For more information, see Monitoring situations.
BMC Helix Dashboards	Events and metrics	Create dashboards to get a consolidated view of data collected from third-party products across your environment. Improve the efficiency of your system by monitoring the key performance metrics and r espond to issues quickly to minimize the down time. For more information, see Creating custom dashboards

Task 2: To configure the connection with Splunk

- The [confluence_layout-cell] macro is a standalone macro and it cannot be used inline.
On the CONNECTORS tab, click in the SOURCES panel.
Click the
Splunk
Enterprise tile.
Specify the following details for the source connection:
1. Specify a unique instance name.
  Best practice
  We recommend that you specify the instance name in the following format:
  <sourceType>_<sourceControllerServerName>_<InstanceQualifier>
  The instance qualifier helps you to distinguish the multiple instances configured from the same source server. For example, you can name your instances as Splunk_Host_PROD, Splunk_Host_TEST, and so on.
  Best practice
  We recommend that you specify the instance name in the following format:
  <sourceType>_<sourceControllerServerName>_<InstanceQualifier>
  The instance qualifier helps you to distinguish the multiple instances configured from the same source server. For example, you can name your instances as Splunk_Host_PROD, Splunk_Host_TEST, and so on.
2. Specify the Splunk host name.
3. Specify the Splunk HTTP or HTTPS port number depending on the connection protocol (default port number is 8089).
4. Select the HTTPS option to use an https connection to the Splunk host.
5. Enter the user name and password for the Splunk host.
Click VALIDATE AND CREATE.
The specified connection details are validated and the corresponding source connection is created in the Source Connection list.
Select the source connection that you created from the list if it is not selected already.
Important
The destination host connection is created and configured automatically when the source connection is created.
Ensure that the options for the datatypes for which you want to collect data are selected.
Configure the collectors for the selected data types by clicking the respective data type in the Collectors section. Specify the parameters for the selected data type, as explained in the following table:

Note: The ✅️ symbol indicates that this field is applicable to the data type.
Click CREATE COLLECTORS to create the required collector streams for the selected data types.

Configure the distributors for the selected data types by clicking the respective data type in the Distributors section.
Specify the parameters for the selected data type, as explained in the following table:

Parameter name	Description
Max Batching Size	Specify the maximum number of data items to send in a single POST request to the destination API. The batch size depends on the destination’s ability to buffer the incoming data.Default: 250
Max Batching Delay	Specify the maximum time (in seconds) to wait before building and processing a batch.Default: 3 seconds
Base Retry Delay	Specify the initial time (in seconds) for which to wait before retrying to build and process a batch. The waiting time increases in the following sequence: n¹, n², n³, and so on, where n indicates the number of seconds.Default: 2 secondsExample:Base Retry Delay is set to 2 seconds.Retry is performed after 2, 4, 8, 16, ... seconds.
Max Intra-Retry Delay	Specify the maximum limit for the base retry delay. Default: 60 secondsExample:Max Intra-Retry Delay is set to 60 seconds. Base Retry Delay is set to 2 seconds.Retries are performed 2, 4, 8, 16, 32,... seconds later.
Max Retry Duration	Specify the total time for retrying a delivery. For REST destinations, a delivery is a batch of data items in one POST request. Default: 5 minutesExample:Max Retry Duration is set to 8 hours. Base Retry Delay is set to 2 seconds.Requests are sent for 2+4+8+16+32+64+132... until 8 hours in total duration is reached. After that, no subsequent attempts are made to retry the delivery.The assumption here is that if there is an outage or other issue with the destination tool, recovery should take less than the value of the Max Retry Duration parameter to be completed.
Attributes To Be Dropped When Updating Events	Specify the event attributes that you do not want to be updated in BMC Helix Operations Managementwhen events are updated. For example, if you do not want an event's severity, source address, source category, and subcategory to be updated in BMC Helix Operations Management , you need to specify those attributes in a comma-separated format: severity,source_address,source_category,source_subcategory .Important:You can obtain the event attribute names in BMC Helix Operations Management, by exporting any event data in JSON, BAROC, XML, or CSV format . The exported file contains all attributes of the event data, and from there you can identify the attributes to be dropped.

Parameter name	Description
Max Batching Size	Specify the maximum number of data items to send in a single POST request to the destination API. The batch size depends on the destination’s ability to buffer the incoming data.Default: 250
Max Batching Delay	Specify the maximum time (in seconds) to wait before building and processing a batch.Default: 3 seconds
Base Retry Delay	Specify the initial time (in seconds) for which to wait before retrying to build and process a batch. The waiting time increases in the following sequence: n¹, n², n³, and so on, where n indicates the number of seconds.Default: 2 secondsExample:Base Retry Delay is set to 2 seconds.Retry is performed after 2, 4, 8, 16, ... seconds.
Max Intra-Retry Delay	Specify the maximum limit for the base retry delay. Default: 60 secondsExample:Max Intra-Retry Delay is set to 60 seconds. Base Retry Delay is set to 2 seconds.Retries are performed 2, 4, 8, 16, 32,... seconds later.
Max Retry Duration	Specify the total time for retrying a delivery. For REST destinations, a delivery is a batch of data items in one POST request. Default: 5 minutesExample:Max Retry Duration is set to 8 hours. Base Retry Delay is set to 2 seconds.Requests are sent for 2+4+8+16+32+64+132... until 8 hours in total duration is reached. After that, no subsequent attempts are made to retry the delivery.The assumption here is that if there is an outage or other issue with the destination tool, recovery should take less than the value of the Max Retry Duration parameter to be completed.
Attributes To Be Dropped When Updating Events	Specify the event attributes that you do not want to be updated in BMC Helix Operations Management when events are updated. For example, if you do not want an event's severity, source address, source category, and subcategory to be updated in BMC Helix Operations Management , you need to specify those attributes in a comma-separated format: severity,source_address,source_category,source_subcategory .Important:You can obtain the event attribute names in BMC Helix Operations Management , by exporting any event data in JSON, BAROC, XML, or CSV format . The exported file contains all attributes of the event data, and from there you can identify the attributes to be dropped.

Parameter name	Description
Max Batching Size	Specify the maximum number of data items to send in a single POST request to the destination API. The batch size depends on the destination’s ability to buffer the incoming data.Default: 250
Max Batching Delay	Specify the maximum time (in seconds) to wait before building and processing a batch.Default: 3 seconds
Base Retry Delay	Specify the initial time (in seconds) for which to wait before retrying to build and process a batch. The waiting time increases in the following sequence: n¹, n², n³, and so on, where n indicates the number of seconds.Default: 2 secondsExample:Base Retry Delay is set to 2 seconds.Retry is performed after 2, 4, 8, 16, ... seconds.
Max Intra-Retry Delay	Specify the maximum limit for the base retry delay. Default: 60 secondsExample:Max Intra-Retry Delay is set to 60 seconds. Base Retry Delay is set to 2 seconds.Retries are performed 2, 4, 8, 16, 32,... seconds later.
Max Retry Duration	Specify the total time for retrying a delivery. For REST destinations, a delivery is a batch of data items in one POST request. Default: 5 minutesExample:Max Retry Duration is set to 8 hours. Base Retry Delay is set to 2 seconds.Requests are sent for 2+4+8+16+32+64+132... until 8 hours in total duration is reached. After that, no subsequent attempts are made to retry the delivery.The assumption here is that if there is an outage or other issue with the destination tool, recovery should take less than the value of the Max Retry Duration parameter to be completed.
Attributes To Be Dropped When Updating Events	Specify the event attributes that you do not want to be updated in BMC Helix Operations Management when events are updated. For example, if you do not want an event's severity, source address, source category, and subcategory to be updated in BMC Helix Operations Management , you need to specify those attributes in a comma-separated format: severity,source_address,source_category,source_subcategory .Important:You can obtain the event attribute names in BMC Helix Operations Management , by exporting any event data in JSON, BAROC, XML, or CSV format . The exported file contains all attributes of the event data, and from there you can identify the attributes to be dropped.

Parameter name	Description
Max Batching Size	Specify the maximum number of data items to send in a single POST request to the destination API. The batch size depends on the destination’s ability to buffer the incoming data.Default: 250
Max Batching Delay	Specify the maximum time (in seconds) to wait before building and processing a batch.Default: 3 seconds
Base Retry Delay	Specify the initial time (in seconds) for which to wait before retrying to build and process a batch. The waiting time increases in the following sequence: n¹, n², n³, and so on, where n indicates the number of seconds.Default: 2 secondsExample:Base Retry Delay is set to 2 seconds.Retry is performed after 2, 4, 8, 16, ... seconds.
Max Intra-Retry Delay	Specify the maximum limit for the base retry delay. Default: 60 secondsExample:Max Intra-Retry Delay is set to 60 seconds. Base Retry Delay is set to 2 seconds.Retries are performed 2, 4, 8, 16, 32,... seconds later.
Max Retry Duration	Specify the total time for retrying a delivery. For REST destinations, a delivery is a batch of data items in one POST request. Default: 5 minutesExample:Max Retry Duration is set to 8 hours. Base Retry Delay is set to 2 seconds.Requests are sent for 2+4+8+16+32+64+132... until 8 hours in total duration is reached. After that, no subsequent attempts are made to retry the delivery.The assumption here is that if there is an outage or other issue with the destination tool, recovery should take less than the value of the Max Retry Duration parameter to be completed.
Attributes To Be Dropped When Updating Events	Specify the event attributes that you do not want to be updated in BMC Helix Operations Management when events are updated. For example, if you do not want an event's severity, source address, source category, and subcategory to be updated in BMC Helix Operations Management , you need to specify those attributes in a comma-separated format: severity,source_address,source_category,source_subcategory .Important:You can obtain the event attribute names in BMC Helix Operations Management , by exporting any event data in JSON, BAROC, XML, or CSV format . The exported file contains all attributes of the event data, and from there you can identify the attributes to be dropped.

Click CREATE DISTRIBUTORS to create the required distributor streams for the selected data types.
Click one of the following buttons:
- SAVE STREAM : Click this button if you want to edit the integration details before creating the instance. After you save the stream, the connector that you just created is listed in the SOURCES panel. Move the slider to the right to start the data stream.
- SAVE AND START STREAM : Click this button if you want to save the integration details and start receiving data immediately.
ImportantFor a data stream, the Run Latency (max/avg), Items (Avg per Run), and Last Run Status columns on the Streams page might show the status as No Runs during the data collection process. After completion of the process, these columns are updated with an appropriate status.
ImportantFor a data stream, the Run Latency (max/avg), Items (Avg per Run), and Last Run Status columns on the Streams page might show the status as No Runs during the data collection process. After completion of the process, these columns are updated with an appropriate status.
ImportantFor a data stream, the Run Latency (max/avg), Items (Avg per Run), and Last Run Status columns on the Streams page might show the status as No Runs during the data collection process. After completion of the process, these columns are updated with an appropriate status.
ImportantFor a data stream, the Run Latency (max/avg), Items (Avg per Run), and Last Run Status columns on the Streams page might show the status as No Runs during the data collection process. After completion of the process, these columns are updated with an appropriate status.
For more information about the data streams, see Starting-or-stopping-data-streams.

Task 3: To verify the connection

From BMC Helix Intelligent Integrations , on the SOURCES panel, confirm that the data streams for the connection you created are running. Data streaming is indicated by moving colored arrows.

A moving blue arrow ( ) indicates that the event stream is running. Event data will be pushed according to the configured Collection Schedule interval.
A moving red arrow ( ) indicates that the metric stream is running. Metric data will be pushed according to the configured Collection Schedule interval.

To view data in BMC Helix applications

View data collected from Splunk in multiple BMC Helix applications.

To view events in BMC Helix Operations Management

In BMC Helix Operations Management, select Monitoring > Events.
Filter the events by the SplunkEvent class.

Incoming events from Splunk are processed in BMC Helix Operations Management through a set of deduplication rules to determine whether the incoming event is a duplicate event or a new event. For more information, see Event-deduplication-suppression-and-closure-for-reducing-event-noise.

For more information about events, see Monitoring and managing events.

To view metrics in BMC Helix Operations Management

In BMC Helix Operations Management, select Monitoring > Devices.
Click the links for the required device.
On the Monitors tab, click the required monitor.
The Performance Overview tab shows the metrics graph.

For information about metrics, see Viewing collected data.

To view Situations in BMC Helix AIOps

Before you view situations in BMC Helix AIOps, ensure that the following prerequisites are met:

CIs are present in BMC Helix Discovery or BMC Helix AIOps for the events that are being collected from the Splunk report.
Create a Business Service model in one of the following applications:
- BMC Helix Discovery. For more information, see Creating a model.
- BMC Helix AIOps. For more information, see Creating service models.
Perform one of the following tasks:
- To view ML-based situations, the AIOps Situations feature is enabled in BMC Helix AIOps. For more information, see Enabling the AIOps features.
- To view policy-based situations, the correlation policy is created in BMC Helix Operations Management. For more information, see Creating and enabling event policies.

To view Situations:

In BMC Helix AIOps , go to the Situations page.
This page shows the Situations created from the events that are ingested into BMC Helix Operations Management.
Click the required Situation to view the messages contained in the Situation and other details such as priority and severity of the message.
The following figure shows a sample Situation created from three events:

For information about Situations, see Monitoring situations.

Mapping between Splunk and BMC Helix Operations Management

The following table shows the mapping between Splunk and BMC Helix Operations Management:

Event attribute	Splunk	BMC Helix Operations Management
Status	Created	Open
	Closed	Closed
	In Progress	Open
	Confirmed	Open
	Any other status	Open
Severity	Ok	Ok
	Critical	Critical
	Minor	Minor
	Major	Major
	Warning	Warning
	Unknown	Unknown
Title	Title	Message