Integrating with Elasticsearch

Elasticsearch is a distributed, open-source search and analytics engine widely used for storing, searching, and analyzing log and event data.

Configure a connection with Elasticsearch to collect metrics and events from Elasticsearch.

Important

The Elasticsearch connector is available only for the on-premises deployment of BMC Helix Intelligent Integrations.

BMC Helix application	Type of data collected or viewed	Benefits
BMC Helix Operations Management	Events	Use a centralized event view to monitor, filter, and manage events, and perform event operations in one place. Process events to help identify actionable events quickly from a large volume of event data. For more information, see Monitoring events and reducing event noise.
BMC Helix Operations Management	Metrics	Use alarm and variate policies to detect anomalies and eliminate false positives for more accurate results while monitoring the health of your system. For more information, see Detecting anomalies by using static and dynamic thresholds.
BMC Helix Dashboards	Events and metrics	Create dashboards to get a consolidated view of data collected from third-party products across your environment. Improve the efficiency of your system by monitoring the key performance metrics and r espond to issues quickly to minimize the down time. For more information, see Creating custom dashboards.

Supported versions

BMC Helix Intelligent Integrationssupports Elasticsearch version 8.13.4 for data collection.

Task 1: To plan for the connection

Review the following prerequisites to help you plan and configure a connection with Elasticsearch.

Elasticsearch prerequisites

Before you start configuring a connection with Elasticsearch, make sure that you:

Identify the paths where the hostname, monitor name, monitor type, and metric values are present in the index's data payloads.
Prepare the events and metrics JSLT mapping. BMC Helix Intelligent Integrations receives the events and metrics from the devices and applies JSLT mapping to transform them into BMC Helix Operations Management understandable events and metrics (in JSON format).

Click here to see a sample events JSLT mapping. Update the JSLT as per your requirements

if (contains("UNKNOWN", .extras.source_hostname) == true)(
    []
)
else (
{
let start = .originTimestamp
let eventId = string(.eventId)
let event_severity = if (.severity == "CriticalSeverity") "CRITICAL"
       else if (.severity == "MajorSeverity") "MAJOR"
       else if (.severity == "WarningSeverity") "WARNING"
       else if (.severity == "OkSeverity") "OK"
       else "MAJOR"
let event_status = if (.status == "OpenEventStatus") "OPEN"
        else if (.status == "ClosedEventStatus") "CLOSED"
        else "OPEN"
  "class": "ElasticsearchAlert",
  "severity": $event_severity,
  "msg": .description,
  "status": $event_status,
  "_ci_id": .extras.ciExternalId,
  "source_hostname": .extras.source_hostname,
  "source_identifier": .extras.ciExternalId,
  "details": .title,
  "source_attributes": {
   "external_id": .extras.ciExternalId
  },
  "creation_time": string("" + $start),
  "source_unique_event_id": $eventId,
  "sourceEntityType": "Other",
  "extras": {
   "eventId": $eventId,
   "source_index_name": .extras.source_index_name,
   "source_alert_rule_category": .extras.source_alert_rule_category,
   "source_alert_rule_name": .extras.source_alert_rule_name,
   "source_alert_rule_producer": .extras.source_alert_rule_producer,
   "source_space_ids": .extras.source_space_ids,
   "source_alert_rule_tags": .extras.source_alert_rule_tags,
   "source_timestamp": .extras.source_timestamp,
   "source_alert_reason": .extras.source_alert_reason,
   "source_alert_evaluation_values": .extras.source_alert_evaluation_values,
   "source_host_name": .extras.source_hostname,
   "source_tags": .extras.source_tags,
   "source_alert_duration_us": .extras.source_alert_duration_us,
   "source_alert_time_range": .extras.source_alert_time_range,
   "source_alert_instance_id": .extras.source_alert_instance_id,
   "source_alert_start": .extras.source_alert_start,
   "source_alert_status": .extras.source_alert_status,
   "source_alert_workflow_status": .extras.source_alert_workflow_status,
   "source_event_kind": .extras.source_event_kind,
   "source_event_action": .extras.source_event_action,
   "source_alert_flapping": .extras.source_alert_flapping,
   "source_additional_data": string("{ source_alert_rule_consumer:" + .extras.source_alert_rule_consumer + ", " + "source_alert_rule_revision:" + .extras.source_alert_rule_revision + ", " + "source_alert_rule_rule_type_id:" + .extras.source_alert_rule_rule_type_id + ", " + "source_alert_rule_uuid:" + .extras.source_alert_rule_uuid + ", " + "source_alert_action_group:" + .extras.source_alert_action_group + ", " + "source_host_hostname:" + .extras.source_host_hostname + ", " + "source_host_os_family:" + .extras.source_host_os_family + ", " + "source_host_os_kernel:" + .extras.source_host_os_kernel + ", " + "source_host_os_name:" + .extras.source_host_os_name + ", " + "source_host_os_platform:" + .extras.host_os_platform + ", " + "source_host_os_type:" + .extras.source_host_os_type + ", " + "source_host_os_version:" + .extrassource_host_os_version + ", " + "source_host_ip:" + .extras.source_host_ip + ", " + "source_host_id:" + .extras.source_host_id + ", " + "source_host_mac:" + .extras.source_host_mac + ", " + "source_host_architecture:" + .extras.source_host_architecture + ", " + "source_alert_uuid:" + .extras.source_alert_uuid + ", " + "source_version:" + .extras.source_version + ", " + "source_alert_consecutive_matches:" + .extras.source_alert_consecutive_matches + ", " + "source_host_cpu:" + .extras.source_host_cpu + ", " + "source_alert_rule_execution_uuid:" + .extras.source_alert_rule_execution_uuid + "}")
  }
}

)

Click here to see a sample metrics JSLT mapping. Update the JSLT as per your requirements

[
  {
    "labels": {
      "metricName": .name,
      "hostname": .extras.hostname,
      "entityId": .extras.entityId,
      "entityTypeId": "ELASTICSEARCH_" + .extras.entityTypeId,
      "entityName": .extras.entityName,
      "hostType": "Server",
      "isKpi": true,
      "unit":
        if (test(.name, "(?i)bytes$") or test(.unit, "^(?i)bytes$"))
        (
          if (number(.value) >= 1073741824) "GBs"
          else if (number(.value) >= 1048576 and number(.value) < 1073741824) "MBs"
          else if (number(.value) >= 1024 and number(.value) < 1048576) "KBs"
          else "Bytes"
        )
        else .unit,
      "source": .extras.sourceName,
      "external_id": .extras.ciExternalId
    },
    "samples": [
      {
        "value":
          if (test(.name, "(?i)bytes$") or test(.unit, "^(?i)bytes$"))
          (
            if (number(.value) >= 1073741824) number(.value) / 1073741824
            else if (number(.value) >= 1048576 and number(.value) < 1073741824) number(.value) / 1048576
            else if (number(.value) >= 1024 and number(.value) < 1048576) number(.value) / 1024
            else number(.value)
          )
          else number(.value),
        "timestamp": number(.originTimestamp)
      }
    ]
  }
]

BMC Helix Intelligent Integrations prerequisites

Depending on the location of the third-party product (SaaS, on-premises), choose one or more BMC Helix Intelligent Integrations deployment modes and review the corresponding port requirements. For information about various deployment modes and port requirements, see Deployment-scenarios.
The on-premises gateway must be able to reach the third-party product on the required port (default is 9200).

In the preceding list, the third-party product refers to Elasticsearch.

Task 2: To configure the connection with Elasticsearch

To access BMC Helix Intelligent Integrations on-premises gateway, use the following URL:
https://<hostName>:<portNumber>/swpui
On the CONNECTORS tab, click in the SOURCES panel.
Click the Elasticsearch tile.
Specify the following details for the source connection:
1. Specify a unique instance name.
  Success
  Best practice
  We recommend that you specify the instance name in the following format:
  <sourceType>_<sourceControllerServerName>_<InstanceQualifier>
  The instance qualifier helps you to distinguish the multiple instances configured from the same source server. For example, you can name your instances as Elasticsearch_Host_PROD, Elasticsearch_Host_TEST, and so on.
2. Specify the Elasticsearch host name.
3. Specify the Elasticsearch HTTP or HTTPS port number, depending on the connection protocol (the default port number is 9200).
4. Select the HTTPS option to use an HTTPS connection to the Elasticsearch host.
5. Make sure that the HTTPS check box is selected to indicate that you plan to use an HTTPS connection to the Elasticsearch host.
  Error
  Caution
  We recommend that you do not select the Allow Unsigned Certificate option in a production environment. You might want to select this option to allow unsigned certificates in a test environment. See the Elasticsearch documentation to learn how to install SSL certificates.
6. In the Max connections field, specify the number of maximum concurrent REST API requests that should be executed during a collection schedule (default value is 5).
7. Select one of the following authentication:
  - To use API authentication, perform the following steps:
    1. Select the Uses API key checkbox.
    2. Enter the API key to connect to the Elasticsearch host.
      Specify a valid API key to access the Elasticsearch API. Make sure that the API key has the required permissions to access the API. For more information, see the Elasticsearch documentation - Create an API key.
  - To use User authentication, perform the following steps:
    1. Select the Uses Basic Auth checkbox.
    2. Enter the user name and password for the Elasticsearch host.
Click VALIDATE AND CREATE.
The specified connection details are validated, and the corresponding source connection is created in the Source Connection list.
Select the source connection that you created from the list if it is not selected already.
Warning
Important
The destination host connection is created and configured automatically when the source connection is created.

Make sure that you select the options for the data types needed to collect data.

Configure the collectors for the selected data types by clicking the respective data type in the Collectors section. Specify the parameters for the selected data type, as explained in the following table:

Note: The ✅️ symbol indicates that this field is applicable to the data type.

Parameter name	Description	Data Type
Parameter name	Description	Elasticsearch Events	Elasticsearch Metrics
Collection Schedule	Select one of the following options to specify the data collection frequency: Duration: When you select this option, data collection happens constantly. Specify the schedule in minutes, hours, or day. Default: 5 minutes Example: Collection Schedule is set to 5 mins. Current time is 00:30. If you run the collector just after 00:30, data is collected every 5 mins, first at 00:30 and next at 00:35, and so on. Cron schedule: When you select this option, data collection happens periodically. Specify the schedule by using a cron expression. A cron expression is a string consisting of five subexpressions (fields) that describe individual details of the schedule. These fields, separated by blank spaces, can contain any of the allowed values with various combinations of the allowed characters for that field. Default: /5 * * * (evaluates to 5 minutes) Format: Minutes *Hours (24-hour format)* Day of Month Month Day of Week** Example: If you specify 10 15 3 7 * , data is collected at 15:10 hours every third day in the month of July. For more information about how this parameter affects data collection, see Data collection schedule.	✅️	✅️
Data Collection Window	Specify the historical time period (in minutes) from the current time for which the data should be collected from Elasticsearch. Default: 5 minutes Example: Collection Schedule is set to 5 mins. Data Collection Window is set to 5 mins. Current time is 00:30. If you run the collector just after 00:30, data is collected first at 00:30 for the interval, 00:25 - 00:30, and next at 00:35 for the interval, 00:30 - 00:35, and so on. For more information about this parameter, see Data collection window .	✅️	✅️
Data Latency	Specify the time (in minutes) by which the data time window should be shifted back on the timeline. This parameter is useful in delayed data availability situations. Default: 0 minutes Example: Collection Schedule is set to 5 mins. Data Collection Window is set to 10 mins. Data Latency is set to 2 mins. Current time is 00:30. If you run the collector just after 00:30, d ata is collected first at 00:30 for the interval 00:18 to 00:28 and, then at 00:35 for the interval 0:23 to 00:33, and so on. For more information about this parameter, see Data latency.	✅️	✅️
Event Status	Specify the status for which you want to collect events. Possible values are: Active Recovered	✅️	❌️
Metric Indices	Specify the name of the metric that stores the information. Metric indices are Elasticsearch indices that store metric data, such as CPU, network, memory, or custom user metrics. Use the metric name followed by an asterisk () to make sure all relevant indices are included, for example, .ds-metrics-system.cpu-**	❌️	✅️
Metric Host Name Path	Specify the path within the payload of the index where the host name is located, for example, host/hostname	❌️	✅️
Metric Monitor Name Path	Specify the path within the payload where the monitor name is located, for example, event/module	❌️	✅️
Metric Monitor Type Path	Specify the path where the monitor type is located. This path distinguishes between different system monitors collecting various metrics, for example, event/dataset	❌️	✅️
Metric Value Path	Specify the path that identifies where the actual metric value is stored in the payload, such as bytes or packets. Add multiple metric value paths, separated by commas, to extract several metrics at once. This path name is used to extract quantifiable values for metrics from the data structure, for example, host/network/egress/bytes	❌️	✅️

Click CREATE COLLECTORS to create the required collector streams for the selected data types.

Configure the distributors for the selected data types by clicking the respective data type in the Distributors section.
Specify the parameters for the selected data type, as explained in the following table:

Parameter name	Description	Elasticsearch Events	Elasticsearch Merics
Max Batching Size	Specify the maximum number of data items to send in a single POST request to the destination API. The batch size depends on the destination’s ability to buffer the incoming data. Default: 250	✅️	✅️
Max Batching Delay	Specify the maximum time (in seconds) to wait before building and processing a batch. Default: 3 seconds	✅️	✅️
Base Retry Delay	Specify the initial time (in seconds) for which to wait before retrying to build and process a batch. The waiting time increases in the following sequence: n¹, n², n³, and so on, where n indicates the number of seconds. Default: 2 seconds Example: The Base Retry Delay is set to 2 seconds. A retry is performed after 2, 4, 8, 16, ... seconds.	✅️	✅️
Max Intra-Retry Delay	Specify the maximum limit for the base retry delay. Default: 60 seconds Example: Max Intra-Retry Delay is set to 60 seconds. Base Retry Delay is set to 2 seconds. Retries are performed 2, 4, 8, 16, 32,... seconds later.	✅️	✅️
Max Retry Duration	Specify the total time for retrying a delivery. For REST destinations, a delivery is a batch of data items in one POST request. Default: 5 minutes Example: Max Retry Duration is set to 8 hours. Base Retry Delay is set to 2 seconds. Requests are sent for 2+4+8+16+32+64+132... until 8 hours in total duration is reached. After that, no subsequent attempts are made to retry the delivery. The assumption here is that if there is an outage or other issue with the destination tool, recovery should take less than the value of the Max Retry Duration parameter to be completed.	✅️	✅️
Attributes To Be Dropped When Updating Events	Specify the event attributes that you do not want to be updated in BMC Helix Operations Management when events are updated. For example, if you do not want an event's severity, source address, source category, and subcategory to be updated in BMC Helix Operations Management, you need to specify those attributes in a comma-separated format: severity,source_address,source_category,source_subcategory. Important: You can obtain the event attribute names in BMC Helix Operations Management, by exporting any event data in JSON, BAROC, XML, or CSV format. The exported file contains all attributes of the event data, and from there you can identify the attributes to be dropped.	✅️	❌️
Device Filters and Metrics filters Device and Metrics filters help remove unwanted data and send only the required data to BMC Helix applications. The data is filtered by using the regular expression (regex) provided for device name, monitor name, monitor type, and metrics, and is sent to BMC Helix applications.
Device Name Regex	Specify the regex for the device name. Metrics for devices whose names match the regex are sent to BMC Helix applications. Examples: To send data for devices whose names contain the string Linux, specify the regex as *.Linux.**. To send data for devices containing the strings Cisco* and Linux, specify the regex as *(?=.Cisco)(?=.Linux).*. To send the data for the devices whose names start with the string Linux, specify the regex as ^Linux.. Important: If you are using multiple regex, make sure that the regex do not conflict. For example, do not enter .Linux. and ^(?!.Linux).** together. The former regex sends metrics for the devices whose names contain the string Linux, while the latter regex sends metrics for the devices whose names do not contain the string Linux.	❌️	✅️
Monitor Name Regex	Specify the regex for the monitor name. Metrics for the monitors whose names match the regex are sent to BMC Helix applications. Examples: To send data for the monitors whose names contain the string system, specify the regex as *.system.**. To filter out the data for monitors that contain system* in their name, specify the regex as *^(?!.system).**. To send the data for monitors whose names start with the string system, specify the regex as ^system.. Important: If you are using multiple regex, make sure that the regex do not conflict. For example, do not enter .system. and ^(?!.system).** together. The former regex sends metrics for the monitors whose names contain the string system, while the latter regex sends metrics for the monitors whose names do not contain the string system.	❌️	✅️
Monitor Type Regex	Specify the regex for the monitor type. Metrics for the monitor type that matches the regex are sent to BMC Helix applications. Examples: To send data for the monitor type that contains the string health, specify the regex as *.health.**. To send data for the monitor type that starts with the string health, specify the regex as ^health.. To filter out the monitor type containing the string health, specify the regex as ^(*!!.health).. Important:* If you are using multiple regex, make sure that the regex do not conflict. For example, do not enter, ^health.* and *^(?!.health).*** together. The former regex collects metrics for the monitor type whose names contain the string health, while the latter regex collects data for the monitor types whose names do not contain the string health.	❌️	✅️
Metrics Regex	Specify the regex for the metrics. Metrics are sent to BMC Helix applications whose names match the regex. Examples: To send metrics that contain the string avg in their names, specify the regex as *.avg.**. To filter out the metrics that contain the string avg, specify the regex as ^(?!.avg).**. To send metrics whose names start with the string avg, specify the regex as ^avg.. Important: If you are using multiple regex, make sure that the regex do not conflict. For example, do not enter, .avg. and ^(?!.avg).** together. The former regex sends metrics whose name contains the string avg, while the latter regex sends metrics whose name does not contain the string avg.	❌️	✅️
Events Filters Events filters help remove unwanted data and send only the required events to BMC Helix applications. The data is filtered by using the regular expression (regex) provided for host, message, and detailed message and is sent to BMC Helix applications.
Host Regex	Specify the regex for the host name. Events for the hosts whose names match the regex are sent to BMC Helix applications. Examples: To send data for the host name /inventory/pricing, specify the regex as ^/inventory/pricing$. To filter out data whose host name contains the string inventory, specify the regex as *^(?!.inventory).**. To send the data for the host whose names start with the string inventory, specify the regex as ^inventory.. Important: If you are using multiple regex, make sure that the regex do not conflict. For example, do not enter .(inventory). and ^(?!.inventory).** together. The former regex sends events for the hosts whose names contain the string inventory, while the latter regex sends events for the hosts whose names do not contain the string inventory.	✅️	❌️
Message Regex	Specify the regex for the event message. Messages for the events that match the regex are sent to BMC Helix applications. Examples: To send events whose messages contain the string HRV alert, specify the regex as *.HRV alert**. To filter out the events whose message contains the string HRV alert, specify the regex as ^(?!.HRV alert).**. To send events whose message starts with the string HRV alert, specify the regex as ^(HRV alert).. Important: If you are using multiple regex, make sure that the regex do not conflict. For example, do not enter .HRV alert. and ^(?!.HRV alert).** together. The former regex sends events whose message contains the string HRV alert, while the latter regex sends events whose message does not contain the string HRV alert.	✅️	❌️
Detailed Message Regex	Specify the regex for the detailed message. Detailed messages for the events that match the regex are sent to BMC Helix applications. Examples: To send events whose detailed message contains the string ci_display_name: easyTravel-k8s, specify the regex as *.ci_display_name: easyTravel-k8s.**. To filter out the events whose detailed message contains the string ci_display_name: easyTravel-k8s, specify the regex as ^(?!.ci_display_name: easyTravel-k8s).**. To send the events whose detailed message starts with the string ci_display_name: easyTravel-k8s, specify the regex as ^(ci_display_name: easyTravel-k8s).. Important: If you are using multiple regex, make sure that the regex do not conflict. For example, do not enter .ci_display_name: easyTravel-k8s. and ^(?!.ci_display_name: easyTravel-k8s).** together. The former regex sends events whose detailed message contains the string ci_display_name: easyTravel-k8s, while the latter regex sends events whose message do not contain the string ci_display_name: easyTravel-k8s.	✅️	❌️

In the Distributors section, configure the JSLT mapping for events and metrics by performing the following steps:
1. Click Edit JSON to open the JSON configuration.
2. Set the jsltField parameter to an empty string as follows:
  "jsltField":""
3. Exit Edit JSON mode.
  The JSLT mapping field is enabled.
4. In the JSLT mapping field, enter the required JSLT mapping.
  See the Elasticsearch prerequisites section for sample events and metrics JSLT mapping.
5. Save the configuration.
Click CREATE DISTRIBUTORS to create the required distributor streams for the selected data types.
Click one of the following buttons:
- SAVE STREAM: Click this button if you want to edit the integration details before creating the instance. After you save the stream, the connector that you just created is listed in the SOURCES panel. Move the slider to the right to start the data stream.
- SAVE AND START STREAM: Click this button if you want to save the integration details and start receiving data immediately.

Important
For a data stream, the Run Latency (max/avg), Items (Avg per Run), and Last Run Status columns on the Streams page might show the status as No Runs during the data collection process. After completion of the process, these columns are updated with an appropriate status.

Task 3: To verify the connection

From BMC Helix Intelligent Integrations , on the SOURCES panel, confirm that the data streams for the connection you created are running. Data streaming is indicated by moving colored arrows.

A moving blue arrow ( ) indicates that the event stream is running. Event data will be pushed according to the configured Collection Schedule interval.
A moving red arrow ( ) indicates that the metric stream is running. Metric data will be pushed according to the configured Collection Schedule interval.

Task 4: To view data in BMC Helix applications

View data collected from Elasticsearch in multiple BMC Helix applications.

To view events in BMC Helix Operations Management

In BMC Helix Operations Management, select Monitoring > Events.
Filter the events by the status: Active or Recovered.

For more information about events, see Monitoring and managing events.

To view metrics in BMC Helix Operations Management

In BMC Helix Operations Management, select Monitoring > Devices.
Click the links for the required device.
On the Monitors tab, click the required monitor.
The Performance Overview tab shows the metrics graph.

For information about metrics, see Viewing collected data.