Integrating with Splunk Enterprise via API
You can view the collected data in various BMC Helix applications and derive the following benefits:
BMC Helix application | Type of data collected or viewed | Benefits |
---|---|---|
BMC Helix Operations Management | Events | Use a centralized event view to monitor, filter, and manage events, and perform event operations in one place. Process events to help identify actionable events quickly from a large volume of event data. For more information, see Monitoring events and reducing event noise. |
BMC Helix Operations Management | Metrics | Use alarm and variate policies to detect anomalies and eliminate false positives for more accurate results while monitoring the health of your system. For more information, see Detecting anomalies by using static and dynamic thresholds. |
BMC Helix AIOps | Situations (created from events) | Improve the mean time to resolve (MTTR) based on the situation-driven workflow. Lower the mean time to detect or discover (MTTD) and the time required for investigating tickets. For more information, see Monitoring situations. |
BMC Helix Dashboards | Events and metrics | Create dashboards to get a consolidated view of data collected from third-party products across your environment. Improve the efficiency of your system by monitoring the key performance metrics and r espond to issues quickly to minimize the down time. For more information, see Creating custom dashboards |
As a tenant administrator, perform the following steps to configure a connection with Splunk, verify the connection, and view the collected data in various BMC Helix applications.
Task 2: To configure the connection with Splunk
-
- The [confluence_layout-cell] macro is a standalone macro and it cannot be used inline.
- The [confluence_layout-cell] macro is a standalone macro and it cannot be used inline.
- On the CONNECTORS tab, click
in the SOURCES panel.
Click the
Splunk
Enterprise tile.
- Specify the following details for the source connection:
Specify a unique instance name.
Best practice
We recommend that you specify the instance name in the following format:<sourceType>_<sourceControllerServerName>_<InstanceQualifier>
The instance qualifier helps you to distinguish the multiple instances configured from the same source server. For example, you can name your instances as Splunk_Host_PROD, Splunk_Host_TEST, and so on.
- Specify the Splunk host name.
- Specify the Splunk HTTP or HTTPS port number depending on the connection protocol (default port number is 8089).
- Select the HTTPS option to use an https connection to the Splunk host.
- Enter the user name and password for the Splunk host.
- Click VALIDATE AND CREATE.
The specified connection details are validated and the corresponding source connection is created in the Source Connection list. Select the source connection that you created from the list if it is not selected already.
- Ensure that the options for the datatypes for which you want to collect data are selected.
Configure the collectors for the selected data types by clicking the respective data type in the Collectors section. Specify the parameters for the selected data type, as explained in the following table:
Note: The ✅️ symbol indicates that this field is applicable to the data type.- Click CREATE COLLECTORS to create the required collector streams for the selected data types.
- Configure the distributors for the selected data types by clicking the respective data type in the Distributors section.
Specify the parameters for the selected data type, as explained in the following table:Parameter nameDescriptionMax Batching SizeSpecify the maximum number of data items to send in a single POST request to the destination API.
The batch size depends on the destination’s ability to buffer the incoming data.Default: 250Max Batching DelaySpecify the maximum time (in seconds) to wait before building and processing a batch.Default: 3 secondsBase Retry DelaySpecify the initial time (in seconds) for which to wait before retrying to build and process a batch.
The waiting time increases in the following sequence: n1, n2, n3, and so on, where n indicates the number of seconds.Default: 2 secondsExample:Base Retry Delay is set to 2 seconds.Retry is performed after 2, 4, 8, 16, ... seconds.Max Intra-Retry DelaySpecify the maximum limit for the base retry delay. Default: 60 secondsExample:Max Intra-Retry Delay is set to 60 seconds.
Base Retry Delay is set to 2 seconds.Retries are performed 2, 4, 8, 16, 32,... seconds later.Max Retry DurationSpecify the total time for retrying a delivery. For REST destinations, a delivery is a batch of data items in one POST request. Default: 5 minutesExample:Max Retry Duration is set to 8 hours.
Base Retry Delay is set to 2 seconds.Requests are sent for 2+4+8+16+32+64+132... until 8 hours in total duration is reached. After that, no subsequent attempts are made to retry the delivery.The assumption here is that if there is an outage or other issue with the destination tool, recovery should take less than the value of the Max Retry Duration parameter to be completed.Attributes To Be Dropped When Updating EventsSpecify the event attributes that you do not want to be updated in BMC Helix Operations Managementwhen events are updated. For example, if you do not want an event's severity, source address, source category, and subcategory to be updated in BMC Helix Operations Management , you need to specify those attributes in a comma-separated format: severity,source_address,source_category,source_subcategory .Important:You can obtain the event attribute names in BMC Helix Operations Management, by exporting any event data in JSON, BAROC, XML, or CSV format . The exported file contains all attributes of the event data, and from there you can identify the attributes to be dropped.Parameter name
Description
Max Batching Size
Specify the maximum number of data items to send in a single POST request to the destination API.
The batch size depends on the destination’s ability to buffer the incoming data.Default: 250Max Batching Delay
Specify the maximum time (in seconds) to wait before building and processing a batch.Default: 3 seconds
Base Retry Delay
Specify the initial time (in seconds) for which to wait before retrying to build and process a batch.
The waiting time increases in the following sequence: n1, n2, n3, and so on, where n indicates the number of seconds.Default: 2 secondsExample:Base Retry Delay is set to 2 seconds.Retry is performed after 2, 4, 8, 16, ... seconds.Max Intra-Retry Delay
Specify the maximum limit for the base retry delay. Default: 60 secondsExample:Max Intra-Retry Delay is set to 60 seconds.
Base Retry Delay is set to 2 seconds.Retries are performed 2, 4, 8, 16, 32,... seconds later.Max Retry Duration
Specify the total time for retrying a delivery. For REST destinations, a delivery is a batch of data items in one POST request. Default: 5 minutesExample:Max Retry Duration is set to 8 hours.
Base Retry Delay is set to 2 seconds.Requests are sent for 2+4+8+16+32+64+132... until 8 hours in total duration is reached. After that, no subsequent attempts are made to retry the delivery.The assumption here is that if there is an outage or other issue with the destination tool, recovery should take less than the value of the Max Retry Duration parameter to be completed.Attributes To Be Dropped When Updating Events
Specify the event attributes that you do not want to be updated in
BMC Helix Operations Management
when events are updated. For example, if you do not want an event's severity, source address, source category, and subcategory to be updated in
BMC Helix Operations Management
, you need to specify those attributes in a comma-separated format: severity,source_address,source_category,source_subcategory .Important:You can obtain the event attribute names in
BMC Helix Operations Management
, by exporting any event data in JSON, BAROC, XML, or CSV format . The exported file contains all attributes of the event data, and from there you can identify the attributes to be dropped.
Parameter name
Description
Max Batching Size
Specify the maximum number of data items to send in a single POST request to the destination API.
The batch size depends on the destination’s ability to buffer the incoming data.Default: 250Max Batching Delay
Specify the maximum time (in seconds) to wait before building and processing a batch.Default: 3 seconds
Base Retry Delay
Specify the initial time (in seconds) for which to wait before retrying to build and process a batch.
The waiting time increases in the following sequence: n1, n2, n3, and so on, where n indicates the number of seconds.Default: 2 secondsExample:Base Retry Delay is set to 2 seconds.Retry is performed after 2, 4, 8, 16, ... seconds.Max Intra-Retry Delay
Specify the maximum limit for the base retry delay. Default: 60 secondsExample:Max Intra-Retry Delay is set to 60 seconds.
Base Retry Delay is set to 2 seconds.Retries are performed 2, 4, 8, 16, 32,... seconds later.Max Retry Duration
Specify the total time for retrying a delivery. For REST destinations, a delivery is a batch of data items in one POST request. Default: 5 minutesExample:Max Retry Duration is set to 8 hours.
Base Retry Delay is set to 2 seconds.Requests are sent for 2+4+8+16+32+64+132... until 8 hours in total duration is reached. After that, no subsequent attempts are made to retry the delivery.The assumption here is that if there is an outage or other issue with the destination tool, recovery should take less than the value of the Max Retry Duration parameter to be completed.Attributes To Be Dropped When Updating Events
Specify the event attributes that you do not want to be updated in
BMC Helix Operations Management
when events are updated. For example, if you do not want an event's severity, source address, source category, and subcategory to be updated in
BMC Helix Operations Management
, you need to specify those attributes in a comma-separated format: severity,source_address,source_category,source_subcategory .Important:You can obtain the event attribute names in
BMC Helix Operations Management
, by exporting any event data in JSON, BAROC, XML, or CSV format . The exported file contains all attributes of the event data, and from there you can identify the attributes to be dropped.
Parameter name
Description
Max Batching Size
Specify the maximum number of data items to send in a single POST request to the destination API.
The batch size depends on the destination’s ability to buffer the incoming data.Default: 250Max Batching Delay
Specify the maximum time (in seconds) to wait before building and processing a batch.Default: 3 seconds
Base Retry Delay
Specify the initial time (in seconds) for which to wait before retrying to build and process a batch.
The waiting time increases in the following sequence: n1, n2, n3, and so on, where n indicates the number of seconds.Default: 2 secondsExample:Base Retry Delay is set to 2 seconds.Retry is performed after 2, 4, 8, 16, ... seconds.Max Intra-Retry Delay
Specify the maximum limit for the base retry delay. Default: 60 secondsExample:Max Intra-Retry Delay is set to 60 seconds.
Base Retry Delay is set to 2 seconds.Retries are performed 2, 4, 8, 16, 32,... seconds later.Max Retry Duration
Specify the total time for retrying a delivery. For REST destinations, a delivery is a batch of data items in one POST request. Default: 5 minutesExample:Max Retry Duration is set to 8 hours.
Base Retry Delay is set to 2 seconds.Requests are sent for 2+4+8+16+32+64+132... until 8 hours in total duration is reached. After that, no subsequent attempts are made to retry the delivery.The assumption here is that if there is an outage or other issue with the destination tool, recovery should take less than the value of the Max Retry Duration parameter to be completed.Attributes To Be Dropped When Updating Events
Specify the event attributes that you do not want to be updated in
BMC Helix Operations Management
when events are updated. For example, if you do not want an event's severity, source address, source category, and subcategory to be updated in
BMC Helix Operations Management
, you need to specify those attributes in a comma-separated format: severity,source_address,source_category,source_subcategory .Important:You can obtain the event attribute names in
BMC Helix Operations Management
, by exporting any event data in JSON, BAROC, XML, or CSV format . The exported file contains all attributes of the event data, and from there you can identify the attributes to be dropped.
- Click CREATE DISTRIBUTORS to create the required distributor streams for the selected data types.
Click one of the following buttons:
- SAVE STREAM : Click this button if you want to edit the integration details before creating the instance. After you save the stream, the connector that you just created is listed in the SOURCES panel. Move the slider to the right to start the data stream.
- SAVE AND START STREAM : Click this button if you want to save the integration details and start receiving data immediately.
For more information about the data streams, see Starting-or-stopping-data-streams.
Task 3: To verify the connection
From BMC Helix Intelligent Integrations , on the SOURCES panel, confirm that the data streams for the connection you created are running. Data streaming is indicated by moving colored arrows.
- A moving blue arrow (
) indicates that the event stream is running. Event data will be pushed according to the configured Collection Schedule interval.
- A moving red arrow (
) indicates that the metric stream is running. Metric data will be pushed according to the configured Collection Schedule interval.
To view data in BMC Helix applications
View data collected from Splunk in multiple BMC Helix applications.
To view events in BMC Helix Operations Management
- In BMC Helix Operations Management, select Monitoring > Events.
- Filter the events by the SplunkEvent class.
Incoming events from Splunk are processed in BMC Helix Operations Management through a set of deduplication rules to determine whether the incoming event is a duplicate event or a new event. For more information, see Event-deduplication-suppression-and-closure-for-reducing-event-noise.
For more information about events, see Monitoring and managing events.
To view metrics in BMC Helix Operations Management
- In BMC Helix Operations Management, select Monitoring > Devices.
- Click the links for the required device.
- On the Monitors tab, click the required monitor.
The Performance Overview tab shows the metrics graph.
For information about metrics, see Viewing collected data.
To view Situations in BMC Helix AIOps
Before you view situations in BMC Helix AIOps, ensure that the following prerequisites are met:
- CIs are present in BMC Helix Discovery or BMC Helix AIOps for the events that are being collected from the Splunk report.
- Create a Business Service model in one of the following applications:
BMC Helix Discovery. For more information, see Creating a model.
BMC Helix AIOps. For more information, see Creating service models.
- Perform one of the following tasks:
To view ML-based situations, the AIOps Situations feature is enabled in BMC Helix AIOps. For more information, see Enabling the AIOps features.
To view policy-based situations, the correlation policy is created in BMC Helix Operations Management. For more information, see Creating and enabling event policies.
To view Situations:
- In BMC Helix AIOps , go to the Situations page.
This page shows the Situations created from the events that are ingested into BMC Helix Operations Management. - Click the required Situation to view the messages contained in the Situation and other details such as priority and severity of the message.
The following figure shows a sample Situation created from three events:
For information about Situations, see Monitoring situations.
Mapping between Splunk and BMC Helix Operations Management
The following table shows the mapping between Splunk and BMC Helix Operations Management:
Event attribute | Splunk | BMC Helix Operations Management |
---|---|---|
Status | Created | Open |
Closed | Closed | |
In Progress | Open | |
Confirmed | Open | |
Any other status | Open | |
Severity | Ok | Ok |
Critical | Critical | |
Minor | Minor | |
Major | Major | |
Warning | Warning | |
Unknown | Unknown | |
Title | Title | Message |