Integrating with Splunk Enterprise via webhook

Splunk is a big data platform that simplifies the task of collecting and managing massive volumes of machine-generated data and searching for information within it. The technology is used for business and web analytics, application management, compliance, and security.

Splunk uses webhook to push real-time alerts about problems detected in the environment. Whenever Splunk detects a problem, BMC Helix Intelligent Integrations WebSocket receives an alert. BMC Helix Intelligent Integrations invokes the Splunk REST API and processes alerts from a saved search alert. The BMC Helix Intelligent IntegrationsSplunk Enterprise connector collects events from Splunk by using the webhook mechanism.

As a tenant administrator, it's important that you can monitor the connected systems and quickly identify and resolve any issues.

BMC Helix application	Type of data collected or viewed	Benefits
BMC Helix Operations Management	Events	Use a centralized event view to monitor, filter, and manage events, and perform event operations in one place. Process events to help identify actionable events quickly from a large volume of event data. For more information, see Monitoring events and reducing event noise.

Supported versions

BMC Helix Intelligent Integrations supports the following versions of Splunk for data collection.

Splunk Cloud Platform
Splunk Enterprise 9.0.5

Task 1: To plan for the connection

Review the following prerequisites to help you plan and configure a connection with Splunk.

Splunk prerequisites

This connector collects data from Splunk alerts. A Splunk alert contains information about events. Ensure that the Splunk user account that you plan to use when you configure the Splunk Webhook connector has permission to query the required Splunk saved search alert report.
Make that the Splunk alert from which you want to collect data is part of the Search & Reporting application (Search app). For details, see the Search app in the Splunk Enterprise documentation.
For example, the following figure shows the Splunk_II_Alerts alert, which is part of the Search app. It contains events from a third-party product.
To display meaningful data in BMC Helix Operations Management from a Splunk alert containing events from a third-party product, the alert should meet the following criteria:
- The alert must have fields that contain the following type of information:
  - Event ID: An identifier that can be concatenated with other fields in the report to get a unique identifier. For example, you can concatenate this identifier with issue, and differentiate events that differ only by status.
  - Severity: The event severity.
    Important
    If severity is represented by numeric values in Splunk Enterprise (for example, 1, 2), convert the values to a string format with the following possible values for ingestion into BMC Helix Operations Management:
    Ok
    Critical
    Minor
    Major
    Minor
    Warning
    Unknown
    For information about conversion, see Comparison and Conditional functions in the Splunk Enterprise documentation.
  - Status: The event status
    Important
    If status is represented by numeric values in Splunk Event Webhook (for example, 1, 2), convert values to a string format with the following possible values for ingestion into BMC Helix Operations Management:
    Created
    Closed
    For information about conversion, see Comparison and Conditional functions in the Splunk Enterprise documentation.
  - Configuration ID
  - Configuration Item type

BMC Helix Intelligent Integrations prerequisites

Depending on the location of the third-party product (SaaS, on-premises), choose one or more BMC Helix Intelligent Integrations deployment modes and review the corresponding port requirements. For information about various deployment modes and port requirements, see Deployment-scenarios.
Based on the deployment mode, use the BMC Helix Intelligent Integrations SaaS deployment or the BMC Helix Intelligent Integrations on-premises gateway or both. For more information about the gateway, see Deploying-the-BMC-Helix-Intelligent-Integrations-on-premises-gateway.

The on-premises gateway must be able to reach the third-party product on the required port (default is 8089).

In the preceding list, third-party product refers to Splunk.

Task 2: To configure the connection with Splunk

Depending on the deployment mode, perform one of the following steps to access BMC Helix Intelligent Integrations:
1. BMC Helix Intelligent Integrations SaaS – Log on to BMC Helix Portal, and click Launch on BMC Helix Intelligent Integrations.
2. BMC Helix Intelligent Integrations on-premises gateway – Use the following URL to access BMC Helix Intelligent Integrations: https://<hostName>:<portNumber>/swpui
On the CONNECTORS tab, click in the SOURCES panel.
Click the Splunk Events Webhook tile.
Specify the following details for the source connection:
1. Specify a unique instance name.
  Best practice
  We recommend that you specify the instance name in the following format:
  <sourceType>_<sourceControllerServerName>_<InstanceQualifier>
  The instance qualifier helps you distinguish the multiple instances configured from the same source server. For example, you can name your instances Splunk_Host_PROD, Splunk_Host_TEST, and so on.
2. Specify the Splunk host name.
3. Specify the Splunk HTTP or HTTPS port number depending on the connection protocol (default port number is 8089).
4. Select the HTTPS option to use an https connection to the Splunk host.
5. Enter the user name and password for the Splunk host.
Click VALIDATE AND CREATE.
Select the source connection that you created from the list if it is not selected already.
Important
The destination host connection is created and configured automatically when the source connection is created.

Configure the collector for the selected data type by clicking the data type in the Collectors section and specifying the parameters for the selected data type, as explained in the following table:

Parameter name	Description
Severity Field Name	Enter the field name available in the Splunk Enterprise alert from which you want to collect data and map to the Severity Field Name field in BMC Helix Intelligent Integrations. Important: The alert field that you want to map to the Severity Field Name field might not be named Severity Field Name in your alert. If the name differs, type the field name that contains the severity values. Make sure that the alert field that you want to map to the Severity Field Name field has one of the following severity values: Ok Critical Minor Major Warning Unknown
Status Field Name	Enter the field name available in the Splunk Enterprise alert from which you want to collect data and map to the Status Field Name field in BMC Helix Intelligent Integrations. Important: The alert field that you want to map to the Status Field Name field might not be named Status Field Name in your alert. If the name differs, type the field name that contains the status values. For example, in the sample alert, this field is named as Type. So, you need to type Type in this field. Make sure that the alert field that you want to map to the Status Field Name field has one of the following status values: Created Closed
Event ID Field Name	Enter the field name available in the Splunk Enterprise alert from which you want to collect data and map to the Event ID Field Name field in BMC Helix Intelligent Integrations. Important: The alert field that you want to map to the Event ID Field Name field might not be named Event ID Field Name in your alert. If the name differs, type the field name that contains the event ID values. The alert field that you want to map to the Event ID Field Name field must not be empty. If the alert field is empty, no event is created in BMC Helix Operations Management.
Event Title Field Name	Enter the field name available in the Splunk Enterprise alert from which you want to collect data and map to the Event Title Field Name field in BMC Helix Intelligent Integrations. Important: The alert field that you want to map to the Event Title Field Name field might not be named Event Title Field Name in your alert. If the name differs, type the field name that contains the title value. For example, in the sample alert, this field is named as Summary. So, you need to type Summary in this field.
Description Field Name	Enter the field name available in the Splunk Enterprise alert from which you want to collect data and map to the Description Field Name field in BMC Helix Intelligent Integrations. Important: The alert field that you want to map to the Description Field Name field might not be named Description Field Name in your Splunk alert. If the name differs, type the field name that contains the description value.
Category Field Name	Enter the field name available in the Splunk Enterprise alert from which you want to collect data and map to the Category Field Name field in BMC Helix Intelligent Integrations. Important: The alert field that you want to map to the Category Field Name field might not be named Category Field Name in the Splunk alert. If the name differs, type the field name that has the category value.
Subcategory Field Name	Enter a field available in the Splunk alert from which you want to collect data and map to the Events Subcategory Field Name field in BMC Helix Intelligent Integrations. Important: The alert field that you want to map to the Subcategory Field Name field might not be named Subcategory Field Name in your alert. If the name differs, enter the field name that has the subcategory value.
Origin URI Field Name	Enter the field name available in the Splunk alert from which you want to collect data and map to the Origin URI Field Name field in BMC Helix Intelligent Integrations. Important: The alert field that you want to map to the Origin URI Field Name field might not be named Event Origin URI Field Name in your alert. If the name differs, enter the field name that has the event URI value.
Configuration ID	Enter a field name available in the Splunk alert from which you want to collect data and map to the Configuration ID field in BMC Helix Intelligent Integrations. Important: The alert field that you want to map to the Configuration ID field might not be named Configuration ID in your alert. If the name differs, type a field that has the configuration ID value.
Configuration Item Type	Enter a field available in the Splunk Enterprise alert from which you want to collect data and map to the Configuration Item Type field in BMC Helix Intelligent Integrations. Important: The alert field that you want to map to the Configuration Item Type field might not be named Configuration Item Type in your alert. If the name differs, select a field that has the configuration item type value.

Click CREATE COLLECTORS to create the required collector stream for the selected data type.

Configure the distributors for the selected data type by clicking the data type in the Distributors section and specifying the parameters for the selected data type, as explained in the following table:

Parameter name	Description
Max Batching Size	Specify the maximum number of data items to send in a single POST request to the destination API. The batch size depends on the destination’s ability to buffer the incoming data.Default: 250
Max Batching Delay	Specify the maximum time (in seconds) to wait before building and processing a batch.Default: 3 seconds
Base Retry Delay	Specify the initial time (in seconds) for which to wait before retrying to build and process a batch. The waiting time increases in the following sequence: n¹, n², n³, and so on, where n indicates the number of seconds. Default: 2 seconds Example: Base Retry Delay is set to 2 seconds. Retry is performed after 2, 4, 8, 16, ... seconds.
Max Intra-Retry Delay	Specify the maximum limit for the base retry delay. Default: 60 seconds Example: Max Intra-Retry Delay is set to 60 seconds. Base Retry Delay is set to 2 seconds. Retries are performed 2, 4, 8, 16, 32,... seconds later.
Max Retry Duration	Specify the total time for retrying a delivery. For REST destinations, a delivery is a batch of data items in one POST request. Default: 5 minutes Example: Max Retry Duration is set to 8 hours. Base Retry Delay is set to 2 seconds. Requests are sent for 2+4+8+16+32+64+132... until 8 hours in total duration is reached. After that, no subsequent attempts are made to retry the delivery.The assumption here is that if there is an outage or other issue with the destination tool, recovery should take less than the value of the Max Retry Duration parameter to be completed.
Attributes To Be Dropped When Updating Events	Specify the event attributes that you do not want to be updated in BMC Helix Operations Management when events are updated. For example, if you do not want an event's severity, source address, source category, and subcategory to be updated in BMC Helix Operations Management , you need to specify those attributes in a comma-separated format: severity,source_address,source_category,source_subcategory .Important:You can obtain the event attribute names in BMC Helix Operations Management , by exporting any event data in JSON, BAROC, XML, or CSV format . The exported file contains all attributes of the event data, and from there you can identify the attributes to be dropped.

Click CREATE DISTRIBUTORS to create the required distributor stream for the selected data type.
Click VALIDATE AND CREATE and then click SAVE STREAM to save the stream.
After you save the stream, the connector that you just created is listed on the SOURCES panel.
On the SOURCES panel, click Configure Mediator for the source connection that you created and then expand SPLUNK EVENTS WEBHOOK.
Click copy to copy the auto-generated Entuity webhook collector URL and save it in a temporary file.
For example, https://hostA/hii/api/mediator/v3/push/9mn-6c97-4c2e-8pc5-12c0asdf?token=API-KEY.
Depending on whether you are using only a SaaS deployment of BMC Helix Intelligent Integrations or BMC Helix Intelligent Integrations on-premises gateway, perform the following steps:
1. If you are using only SaaS deployment of BMC Helix Intelligent Integrations or the on-premises gateway with authentication enabled, perform the following steps:
  1. Log on to BMC Helix Portal and generate an access key.
    For instructions, see Setting up access keys for programmatic access.
  2. Copy the generated access key and save it in a temporary file.
    The key is generated in the format: <accessKey>::<secretKey>,tenant id:<tenantID>.
    For example, Y40OSC49QZA11Q8A1H9H6::MnVLk69TNyCEponsthHJ1Hj1uKcjTB,tenant id:385261281
  3. Change the format of the access key to <tenantID>::<accessKey>::<secretKey>.
    For example, 385261281::Y40OSC49QZA11Q8A1H9H6::MnVLk69TNyCEponsthHJ1Hj1uKcjTB
  4. In a temporary file, modify the auto-generated collector URL by replacing API-KEY with the access key that you formatted in the previous step.
    For example, https://host.ab.com/hii/api/mediator/v3/push/9mn-6c97-4c2e-8pc5-12c0asdfd?
    token=385261281::Y40OSC49QZA11Q8A1H9H6::MnVLk69TNyCEponsthHJ1Hj1uKcjTB
  5. Configure Splunk to forward incidents data to BMC Helix Intelligent Integrations.
2. If you are using the on-premises gateway with authentication disabled, perform the following steps:
  1. Save the URL in a temporary file.
  2. Remove the following string from the collector URL:?token=API-KEY
    The updated collector URL looks like the following example:
    https://hostA/hii/api/mediator/v3/push/9mn-6c97-4c2e-8pc5-12c0asdf
  3. Configure Splunk to forward incidents data to BMC Helix Intelligent Integrations.
On the SOURCES panel, move the slider to the right to start the event stream for the connector.

Task 3: To configure Splunk Enterprise to forward events data to BMC Helix Intelligent Integrations

Log on to Splunk Enterprise.

On the Alerts tab, select Edit > Edit Alerts for the alerts that you want to configure.
Depending on whether you are using only SaaS deployment of BMC Helix Intelligent Integrations or the on-premises gateway, in the Trigger Actions section, copy the collector URL that you modified in step 13 and paste it as the default value of the parameter, enclosed in double quotes.
Click Save to save the alert.
Select Edit > Enable, and then click Enable to enable the alert that you have edited.
Go to step 15 to start the event stream.

Task 4: To verify the connection

From BMC Helix Intelligent Integrations, on the SOURCES panel, confirm that the event stream for the connection you created is running.

A moving blue arrow () indicates that the event stream is running. Event data will be pushed as soon as events are available.

To view events in BMC Helix Operations Management

In BMC Helix Operations Management, select Monitoring > Events.
Filter the events by the SplunkEvent class.

Incoming events from Splunk are processed in BMC Helix Operations Management through a set of deduplication rules to determine whether the incoming event is a duplicate event or a new event. For more information, see Event-deduplication-suppression-and-closure-for-reducing-event-noise.

For more information about events, see Monitoring and managing events.