Integrating with Splunk Enterprise via API


Splunk is a big data platform that simplifies the task of collecting and managing massive volumes of machine-generated data and searching for information within it. The technology is used for business and web analytics, application management, compliance, and security.

As a tenant administrator, it's important that you can monitor the connected systems and quickly identify and resolve any issues. TheBMC Helix Intelligent Integrations Splunk connector uses Rest API to collect events and metrics data from Splunk.

You can view the collected data in various BMC Helix applications and derive the following benefits:

BMC Helix application

Type of data collected or viewed

Benefits

BMC Helix Operations Management

Events

Use a centralized event view to monitor, filter, and manage events, and perform event operations in one place. 

Process events to help identify actionable events quickly from a large volume of event data.

For more information, see  Monitoring events and reducing event noise.

BMC Helix Operations Management

Metrics

Use alarm and variate policies to detect anomalies and eliminate false positives for more accurate results while monitoring the health of your system.

For more information, see Detecting anomalies by using static and dynamic thresholds.

BMC Helix AIOps

Situations (created from events)

Improve the mean time to resolve (MTTR) based on the situation-driven workflow.

Lower the mean time to detect or discover (MTTD) and the time required for investigating tickets.

For more information, see Monitoring situations.

BMC Helix Dashboards

Events and metrics

Create dashboards to get a consolidated view of data collected from third-party products across your environment. 

Improve the efficiency of your system by monitoring the key performance metrics and r espond to issues quickly to minimize the down time.

For more information, see Creating custom dashboards

As a tenant administrator, perform the following steps to configure a connection with Splunk, verify the connection, and view the collected data in various BMC Helix applications.

ConnectorSteps.png

Task 2: To configure the connection with Splunk

  1.  
    • The [confluence_layout-cell] macro is a standalone macro and it cannot be used inline.
  2. On the CONNECTORS  tab, click add_icon.png in the SOURCES panel.
  3. Click the 

    Splunk

     Enterprise tile.

  4. Specify the following details for the source connection:
    1. Specify a unique instance name.

      Best practice
      We recommend that you specify the instance name in the following format: 

      <sourceType>_<sourceControllerServerName>_<InstanceQualifier>

      The instance qualifier helps you to distinguish the multiple instances configured from the same source server. For example, you can name your instances as Splunk_Host_PROD, Splunk_Host_TEST, and so on.

      Best practice
      We recommend that you specify the instance name in the following format: 

      <sourceType>_<sourceControllerServerName>_<InstanceQualifier>

      The instance qualifier helps you to distinguish the multiple instances configured from the same source server. For example, you can name your instances as Splunk_Host_PROD, Splunk_Host_TEST, and so on.

       

    2. Specify the Splunk host name.
    3. Specify the Splunk HTTP or HTTPS port number depending on the connection protocol (default port number is 8089).
    4. Select the HTTPS option to use an https connection to the Splunk host.
    5. Enter the user name and password for the Splunk host.
  5. Click VALIDATE AND CREATE.
    The specified connection details are validated and the corresponding source connection is created in the Source Connection list.
  6. Select the source connection that you created from the list if it is not selected already.

    Important

    The destination host connection is created and configured automatically when the source connection is created.

  7. Ensure that the options for the datatypes for which you want to collect data are selected.
  8. Configure the collectors for the selected data types by clicking the respective data type in the Collectors section. Specify the parameters for the selected data type, as explained in the following table:

    Note: The ✅️  symbol indicates that this field is applicable to the data type.

     

  9. Click CREATE COLLECTORS to create the required collector streams for the selected data types.
  10. Configure the distributors for the selected data types by clicking the respective data type in the Distributors section.
    Specify the parameters for the selected data type, as explained in the following table:
    Parameter name
    Description
    Max Batching Size
    Specify the maximum number of data items to send in a single POST request to the destination API.
    The batch size 
    depends on the destination’s ability to buffer the incoming data.Default: 250
    Max Batching Delay
    Specify the maximum time (in seconds) to wait before building and processing a batch.Default: 3 seconds 
    Base Retry Delay
    Specify the initial time (in seconds) for which to wait before retrying to build and process a batch.
    The waiting time increases in the following sequence: n1, n2, n3, and so on, where n indicates the number of seconds.Default: 2 secondsExample:Base Retry Delay is set to 2 seconds.Retry is performed after 2, 4, 8, 16, ... seconds.
    Max Intra-Retry Delay
    Specify the maximum limit for the base retry delay. Default: 60 secondsExample:Max Intra-Retry Delay is set to 60 seconds.
    Base Retry Delay is set to 2 seconds.Retries are performed 2, 4, 8, 16, 32,... seconds later.
    Max Retry Duration
    Specify the total time for retrying a delivery. For REST destinations, a delivery is a batch of data items in one POST request. Default: 5 minutesExample:Max Retry Duration is set to 8 hours.
    Base Retry Delay is set to 2 seconds.Requests are sent for 2+4+8+16+32+64+132... until 8 hours in total duration is reached. After that, no subsequent attempts are made to retry the delivery.The assumption here is that if there is an outage or other issue with the destination tool, recovery should take less than the value of the Max Retry Duration parameter to be completed.
    Attributes To Be Dropped When Updating Events
    Specify the event attributes that you do not want to be updated in BMC Helix Operations Managementwhen events are updated. For example, if you do not want an event's severity, source address, source category, and subcategory to be updated in BMC Helix Operations Management , you need to specify those attributes in a comma-separated format: severity,source_address,source_category,source_subcategory .Important:You can obtain the event attribute names in BMC Helix Operations Management, by exporting any event data in JSON, BAROC, XML, or CSV format . The exported file contains all attributes of the event data, and from there you can identify the attributes to be dropped. 

    Parameter name

    Description

    Max Batching Size

    Specify the maximum number of data items to send in a single POST request to the destination API.
    The batch size 
    depends on the destination’s ability to buffer the incoming data.Default: 250

    Max Batching Delay

    Specify the maximum time (in seconds) to wait before building and processing a batch.Default: 3 seconds 

    Base Retry Delay

    Specify the initial time (in seconds) for which to wait before retrying to build and process a batch.
    The waiting time increases in the following sequence: n1, n2, n3, and so on, where n indicates the number of seconds.Default: 2 secondsExample:Base Retry Delay is set to 2 seconds.Retry is performed after 2, 4, 8, 16, ... seconds.

    Max Intra-Retry Delay

    Specify the maximum limit for the base retry delay. Default: 60 secondsExample:Max Intra-Retry Delay is set to 60 seconds.
    Base Retry Delay is set to 2 seconds.Retries are performed 2, 4, 8, 16, 32,... seconds later.

    Max Retry Duration

    Specify the total time for retrying a delivery. For REST destinations, a delivery is a batch of data items in one POST request. Default: 5 minutesExample:Max Retry Duration is set to 8 hours.
    Base Retry Delay is set to 2 seconds.Requests are sent for 2+4+8+16+32+64+132... until 8 hours in total duration is reached. After that, no subsequent attempts are made to retry the delivery.The assumption here is that if there is an outage or other issue with the destination tool, recovery should take less than the value of the Max Retry Duration parameter to be completed.

    Attributes To Be Dropped When Updating Events

    Specify the event attributes that you do not want to be updated in 

    BMC Helix Operations Management

    when events are updated. For example, if you do not want an event's severity, source address, source category, and subcategory to be updated in 

    BMC Helix Operations Management

     , you need to specify those attributes in a comma-separated format: severity,source_address,source_category,source_subcategory .Important:You can obtain the event attribute names in 

    BMC Helix Operations Management

    , by exporting any event data in JSON, BAROC, XML, or CSV format . The exported file contains all attributes of the event data, and from there you can identify the attributes to be dropped. 

    Parameter name

    Description

    Max Batching Size

    Specify the maximum number of data items to send in a single POST request to the destination API.
    The batch size 
    depends on the destination’s ability to buffer the incoming data.Default: 250

    Max Batching Delay

    Specify the maximum time (in seconds) to wait before building and processing a batch.Default: 3 seconds 

    Base Retry Delay

    Specify the initial time (in seconds) for which to wait before retrying to build and process a batch.
    The waiting time increases in the following sequence: n1, n2, n3, and so on, where n indicates the number of seconds.Default: 2 secondsExample:Base Retry Delay is set to 2 seconds.Retry is performed after 2, 4, 8, 16, ... seconds.

    Max Intra-Retry Delay

    Specify the maximum limit for the base retry delay. Default: 60 secondsExample:Max Intra-Retry Delay is set to 60 seconds.
    Base Retry Delay is set to 2 seconds.Retries are performed 2, 4, 8, 16, 32,... seconds later.

    Max Retry Duration

    Specify the total time for retrying a delivery. For REST destinations, a delivery is a batch of data items in one POST request. Default: 5 minutesExample:Max Retry Duration is set to 8 hours.
    Base Retry Delay is set to 2 seconds.Requests are sent for 2+4+8+16+32+64+132... until 8 hours in total duration is reached. After that, no subsequent attempts are made to retry the delivery.The assumption here is that if there is an outage or other issue with the destination tool, recovery should take less than the value of the Max Retry Duration parameter to be completed.

    Attributes To Be Dropped When Updating Events

    Specify the event attributes that you do not want to be updated in 

    BMC Helix Operations Management

    when events are updated. For example, if you do not want an event's severity, source address, source category, and subcategory to be updated in 

    BMC Helix Operations Management

     , you need to specify those attributes in a comma-separated format: severity,source_address,source_category,source_subcategory .Important:You can obtain the event attribute names in 

    BMC Helix Operations Management

    , by exporting any event data in JSON, BAROC, XML, or CSV format . The exported file contains all attributes of the event data, and from there you can identify the attributes to be dropped. 

    Parameter name

    Description

    Max Batching Size

    Specify the maximum number of data items to send in a single POST request to the destination API.
    The batch size 
    depends on the destination’s ability to buffer the incoming data.Default: 250

    Max Batching Delay

    Specify the maximum time (in seconds) to wait before building and processing a batch.Default: 3 seconds 

    Base Retry Delay

    Specify the initial time (in seconds) for which to wait before retrying to build and process a batch.
    The waiting time increases in the following sequence: n1, n2, n3, and so on, where n indicates the number of seconds.Default: 2 secondsExample:Base Retry Delay is set to 2 seconds.Retry is performed after 2, 4, 8, 16, ... seconds.

    Max Intra-Retry Delay

    Specify the maximum limit for the base retry delay. Default: 60 secondsExample:Max Intra-Retry Delay is set to 60 seconds.
    Base Retry Delay is set to 2 seconds.Retries are performed 2, 4, 8, 16, 32,... seconds later.

    Max Retry Duration

    Specify the total time for retrying a delivery. For REST destinations, a delivery is a batch of data items in one POST request. Default: 5 minutesExample:Max Retry Duration is set to 8 hours.
    Base Retry Delay is set to 2 seconds.Requests are sent for 2+4+8+16+32+64+132... until 8 hours in total duration is reached. After that, no subsequent attempts are made to retry the delivery.The assumption here is that if there is an outage or other issue with the destination tool, recovery should take less than the value of the Max Retry Duration parameter to be completed.

    Attributes To Be Dropped When Updating Events

    Specify the event attributes that you do not want to be updated in 

    BMC Helix Operations Management

    when events are updated. For example, if you do not want an event's severity, source address, source category, and subcategory to be updated in 

    BMC Helix Operations Management

     , you need to specify those attributes in a comma-separated format: severity,source_address,source_category,source_subcategory .Important:You can obtain the event attribute names in 

    BMC Helix Operations Management

    , by exporting any event data in JSON, BAROC, XML, or CSV format . The exported file contains all attributes of the event data, and from there you can identify the attributes to be dropped. 

  11. Click CREATE DISTRIBUTORS to create the required distributor streams for the selected data types.
  12. Click one of the following buttons:

    • SAVE STREAM : Click this button if you want to edit the integration details before creating the instance. After you save the stream, the connector that you just created is listed in the SOURCES panel. Move the slider to the right to start the data stream.
    • SAVE AND START STREAM : Click this button if you want to save the integration details and start receiving data immediately.

    ImportantFor a data stream, the Run Latency (max/avg), Items (Avg per Run), and Last Run Status columns on the Streams page might show the status as No Runs during the data collection process. After completion of the process, these columns are updated with an appropriate status.

    ImportantFor a data stream, the Run Latency (max/avg), Items (Avg per Run), and Last Run Status columns on the Streams page might show the status as No Runs during the data collection process. After completion of the process, these columns are updated with an appropriate status.

    ImportantFor a data stream, the Run Latency (max/avg), Items (Avg per Run), and Last Run Status columns on the Streams page might show the status as No Runs during the data collection process. After completion of the process, these columns are updated with an appropriate status.

    ImportantFor a data stream, the Run Latency (max/avg), Items (Avg per Run), and Last Run Status columns on the Streams page might show the status as No Runs during the data collection process. After completion of the process, these columns are updated with an appropriate status.

    For more information about the data streams, see Starting-or-stopping-data-streams

 

Task 3: To verify the connection

From BMC Helix Intelligent Integrations , on the SOURCES panel, confirm that the data streams for the connection you created are running. Data streaming is indicated by moving colored arrows.

splunk_events_stream_22_2_final.png

  • A moving blue arrow (EventsStream_Icon.png ) indicates that the event stream is running. Event data will be pushed according to the configured Collection Schedule interval.
  • A moving red arrow (MetricsStream_Icon.png ) indicates that the metric stream is running. Metric data will be pushed according to the configured Collection Schedule interval.

To view data in BMC Helix applications

View data collected from Splunk in multiple BMC Helix applications.

To view events in BMC Helix Operations Management

  1. In BMC Helix Operations Management, select Monitoring > Events.
  2. Filter the events by the SplunkEvent class.
    SplunkEvents.png

Incoming events from Splunk are processed in BMC Helix Operations Management through a set of deduplication rules to determine whether the incoming event is a duplicate event or a new event. For more information, see Event-deduplication-suppression-and-closure-for-reducing-event-noise.

For more information about events, see Monitoring and managing events.

To view metrics in BMC Helix Operations Management

  1. In BMC Helix Operations Management, select Monitoring > Devices.
  2. Click the links for the required device.
  3. On the Monitors tab, click the required monitor.
    The Performance Overview tab shows the metrics graph. 

    SplunkMetrics.png
     

For information about metrics, see Viewing collected data.

To view Situations in BMC Helix AIOps

Before you view situations in BMC Helix AIOps, ensure that the following prerequisites are met: 

  1. CIs are present in BMC Helix Discovery or BMC Helix AIOps for the events that are being collected from the Splunk report.
  2. Create a Business Service model in one of the following applications:
  3. Perform one of the following tasks:

To view Situations:

  1. In BMC Helix AIOps , go to the Situations page.
    This page shows the Situations created from the events that are ingested into BMC Helix Operations Management. 
  2. Click the required Situation to view the messages contained in the Situation and other details such as priority and severity of the message. 
    The following figure shows a sample Situation created from three events:
    Splunk_Situation.png

For information about Situations, see Monitoring situations.

Mapping between Splunk and BMC Helix Operations Management

The following table shows the mapping between Splunk and BMC Helix Operations Management:

Event attribute

Splunk

BMC Helix Operations Management

Status

Created

Open

Closed

Closed

In Progress

Open

Confirmed

Open

Any other status

Open

Severity

Ok

Ok

Critical

Critical

Minor 

Minor

Major

Major

Warning

Warning

Unknown

Unknown

Title

Title

Message

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*