Skip to Content

Integrating with Splunk Enterprise via webhook

Splunk is a big data platform that simplifies the task of collecting and managing massive volumes of machine-generated data and searching for information within it. The technology is used for business and web analytics, application management, compliance, and security.

Splunk uses webhook to push real-time alerts about problems detected in the environment. Whenever Splunk detects a problem, BMC Helix Intelligent Integrations WebSocket receives an alert. BMC Helix Intelligent Integrations invokes the Splunk REST API and processes alerts from a saved search alert. The BMC Helix Intelligent IntegrationsSplunk Enterprise connector collects events from Splunk by using the webhook mechanism.

As a tenant administrator, it's important that you can monitor the connected systems and quickly identify and resolve any issues.  

Related topics

Editing and deleting integrations

Monitoring BMC Helix Intelligent Integrations

You can view the collected events in BMC Helix Operations Management and derive the following benefits:

BMC Helix application

Type of data collected or viewed

Benefits

BMC Helix Operations Management

Events

Use a centralized event view to monitor, filter, and manage events, and perform event operations in one place. 

Process events to help identify actionable events quickly from a large volume of event data.

For more information, see Monitoring events and reducing event noise.

As a tenant administrator, perform the following steps to configure a connection with Splunk via webhook, verify the connection, and view the collected data in various BMC Helix applications.

ConnectorSteps.png

Supported versions

BMC Helix Intelligent Integrations supports the following versions of Splunk for data collection.

  • Splunk Cloud Platform
  • Splunk Enterprise 9.2.2
  • Splunk Enterprise 9.0.5

Before you begin

Make sure you perform the following actions before you configure a connection with Splunk:

Splunk requirements

  • This connector collects data from Splunk alerts. A Splunk alert contains information about events. Ensure that the Splunk user account that you plan to use when you configure the Splunk Webhook connector has permission to query the required Splunk saved search alert report.
  • Make that the Splunk alert from which you want to collect data is part of the Search & Reporting application (Search app). For details, see the Search app in the Splunk Enterprise documentation.
    For example, the following figure shows the Splunk_II_Alerts alert, which is part of the Search app. It contains events from a third-party product.
    Splunk_Alerts1.png
  • To display meaningful data in BMC Helix Operations Management from a Splunk alert containing events from a third-party product, the alert should meet the following criteria:
    • The alert must have fields that contain the following type of information:
      • Event ID: An identifier that can be concatenated with other fields in the report to get a unique identifier. For example, you can concatenate this identifier with issue, and differentiate events that differ only by status.

      • Severity: The event severity.

        Warning
        Important

        If severity is represented by numeric values in Splunk Enterprise (for example, 1, 2), convert the values to a string format with the following possible values for ingestion into BMC Helix Operations Management:

        • Ok
        • Critical
        • Minor 
        • Major
        • Minor
        • Warning
        • Unknown

        For information about conversion, see Comparison and Conditional functions in the Splunk Enterprise documentation.

      • Status: The event status
        Warning
        Important

        If status is represented by numeric values in Splunk Event Webhook (for example, 1, 2), convert values to a string format with the following possible values for ingestion into BMC Helix Operations Management:

        • Created
        • Closed

        For information about conversion, see Comparison and Conditional functions in the Splunk Enterprise documentation.

      • Configuration ID
      • Configuration Item type

BMC Helix Intelligent Integrations requirements

  • Depending on the location of the third-party product (SaaS, on-premises), choose one or more BMC Helix Intelligent Integrations deployment modes and review the corresponding port requirements. For information about various deployment modes and port requirements, see Deployment scenarios.
  • Based on the deployment mode, use the BMC Helix Intelligent Integrations SaaS deployment or the BMC Helix Intelligent Integrations on-premises gateway or both. For more information about the gateway, see Deploying the BMC Helix Intelligent Integrations on-premises gateway.
  • The on-premises gateway must be able to reach the third-party product on the required port (default is 8089).

In the preceding list, third-party product refers to Splunk. 

Task 1: To configure the connection with Splunk

  1. To access BMC Helix Intelligent Integrations, perform one of the following steps depending on your deployment mode:

    • BMC Helix Intelligent Integrations SaaS – Log on to BMC Helix Portal, and click the BMC Helix Intelligent Integrations tile.
    • BMC Helix Intelligent Integrations on-premises gateway – Use the following URL to access BMC Helix
      Intelligent Integrations: https://hostName:portNumber/swpui
  2. On the CONNECTORS tab, click add_icon.pngin the SOURCES panel.
  3. Click the Splunk Events Webhook tile.
  4. Specify the following details for the source connection:
    1. Specify a unique instance name.
      Success
      Best practice

      We recommend that you specify the instance name in the following format:
      <sourceType>_<sourceControllerServerName>_<InstanceQualifier>
      The instance qualifier helps you distinguish the multiple instances configured from the same source server. For example, you can name your instances Splunk_Host_PROD, Splunk_Host_TEST, and so on.

    2. Specify the Splunk host name.
    3. Specify the Splunk HTTP or HTTPS port number depending on the connection protocol (default port number is 8089).
    4. Select the HTTPS option to use an HTTPS connection to the Splunk host.

      Do not select the Allow Unsigned Certificate option in a production environment. You can select this option to allow unsigned certificates in a test environment. To learn how to install SSL certificates, see the Splunk documentation.

    5. Specify one of the following authentication methods​​​​​:
      • Basic authentication—Enter the user name and password for the Splunk host.
      • API token—Select Use Token Authentication and specify a valid token to access the Splunk API. For more information about obtaining token, see Create authentication tokens​​​​​​ in the Splunk documentation.
  5. Click VALIDATE AND CREATE.
  6. Select the source connection that you created from the list if it is not selected already.
    Warning
    Important

    The destination host connection is created and configured automatically when the source connection is created.

  7. Make sure that you select the options for the required data types to collect data.

  8. Configure the collectors for the selected data types by clicking the respective data type in the Collectors section. 

    Click here to view the collection parameters for the selected data types
    Parameter nameDescription
    Severity Field Name

    Enter the field name available in the Splunk Enterprise alert from which you want to collect data and map to the Severity Field Name field in BMC Helix Intelligent Integrations.

    Important:

    • The alert field that you want to map to the Severity Field Name field might not be named Severity Field Name in your alert. If the name differs, type the field name that contains the severity values.
    • Make sure that the alert field that you want to map to the Severity Field Name field has one of the following severity values:
      • Ok
      • Critical
      • Minor
      • Major
      • Warning
      • Unknown
    Status Field Name

    Enter the field name available in the Splunk Enterprise alert from which you want to collect data and map to the Status
    Field Name     field in BMC Helix Intelligent Integrations.

    Important:

    • The alert field that you want to map to the Status Field Name field might not be named Status Field Name in your alert. If the name differs, type the field name that contains the status values. For example, in the sample alert, this field is named as Type. So, you need to type Type in this field.
    • Make sure that the alert field that you want to map to the Status Field Name field has one of the following status values:
      • Created
      • Closed
    Event ID Field Name

    Enter the field name available in the Splunk Enterprise alert from which you want to collect data and map to the Event ID
    Field Name     field in BMC Helix Intelligent Integrations.

    Important:

    • The alert field that you want to map to the Event ID Field Name field might not be named Event ID Field Name in your alert. If the name differs, type the field name that contains the event ID values.
    • The alert field that you want to map to the Event ID Field Name field must not be empty. If the alert field is empty, no event is created in BMC Helix Operations Management.
    Event Title Field Name

    Enter the field name available in the Splunk Enterprise alert from which you want to collect data and map to the Event Title Field Name field in BMC Helix Intelligent Integrations.

    Important: The alert field that you want to map to the Event Title Field Name field might not be named Event Title Field Name in your alert. If the name differs, type the field name that contains the title value.

    For example, in the sample alert, this field is named as Summary. So, you need to type Summary in this field.

    Description Field Name

    Enter the field name available in the Splunk Enterprise alert from which you want to collect data and map to the
    Description Field Name field in BMC Helix Intelligent Integrations.

    Important: The alert field that you want to map to the Description Field Name field might not be named Description
    Field Name     in your Splunk alert. If the name differs, type the field name that contains the description value.

    Category Field Name

    Enter the field name available in the Splunk Enterprise alert from which you want to collect data and map to the Category
    Field Name     field in BMC Helix Intelligent Integrations.

    Important: The alert field that you want to map to the Category Field Name field might not be named Category Field
    Name     in the Splunk alert. If the name differs, type the field name that has the category value.

    Subcategory Field Name

    Enter a field available in the Splunk alert from which you want to collect data and map to the Events Subcategory Field Name field in BMC Helix Intelligent Integrations.

    Important: The alert field that you want to map to the Subcategory Field Name field might not be named Subcategory
    Field Name     in your alert. If the name differs, enter the field name that has the subcategory value.

    Origin URI Field Name

    Enter the field name available in the Splunk alert from which you want to collect data and map to the Origin URI Field Name field in BMC Helix Intelligent Integrations.

    Important: The alert field that you want to map to the Origin URI Field Name field might not be named Event Origin URI Field Name in your alert. If the name differs, enter the field name that has the event URI value.

    Configuration ID

    Enter a field name available in the Splunk alert from which you want to collect data and map to the Configuration ID field in BMC Helix Intelligent Integrations.

    Important: The alert field that you want to map to the Configuration ID field might not be named Configuration ID in your alert. If the name differs, type a field that has the configuration ID value.

    Configuration Item Type

    Enter a field available in the Splunk Enterprise alert from which you want to collect data and map to the Configuration Item Type field in BMC Helix Intelligent Integrations.

    Important: The alert field that you want to map to the Configuration Item Type field might not be named Configuration Item Type in your alert. If the name differs, select a field that has the configuration item type value.

  9. To create the required collector streams for the selected data types, click CREATE COLLECTORS.
  10. Configure the distributors for the selected data types by clicking the respective data type in the Distributors section.
    Click here to view the distribution parameters for the selected data types

     

    Parameter name

    Description

    Max Batching Size

    Specify the maximum number of data items to send in a single POST request to the destination API.
    The batch size     depends on the destination’s ability to buffer the incoming data.

    Default: 250

    Max Batching Delay

    Specify the maximum time (in seconds) to wait before building and processing a batch.

    Default: 3 seconds 

    Base Retry Delay

    Specify the initial time (in seconds) for which to wait before retrying to build and process a batch.
    The waiting time increases in the following sequence: n1, n2, n3, and so on, where n indicates the number of seconds.

    Default: 2 seconds

    Example: Base Retry Delay is set to 2 seconds.

    Retry is performed after 2, 4, 8, 16, ... seconds.

    Max Intra-Retry Delay

    Specify the maximum limit for the base retry delay. 

    Default: 60 seconds

    Example: Max Intra-Retry Delay is set to 60 seconds.

    Base Retry Delay is set to 2 seconds.

    Retries are performed 2, 4, 8, 16, 32,... seconds later.

    Max Retry Duration

    Specify the total time for retrying a delivery. For REST destinations, a delivery is a batch of data items in one POST request. 

    Default: 5 minutes

    Example: Max Retry Duration is set to 8 hours.

    Base Retry Delay is set to 2 seconds.

    Requests are sent for 2+4+8+16+32+64+132... until 8 hours in total duration is reached. After that, no subsequent attempts are made to retry the delivery.The assumption here is that if there is an outage or other issue with the destination tool, recovery should take less than the value of the Max Retry Duration parameter to be completed.

    Attributes To Be Dropped When Updating Events

    Specify the event attributes that you do not want to be updated in BMC Helix Operations Management when events are updated. For example, if you do not want an event's severity, source address, source category, and subcategory to be updated in BMC Helix Operations Management, you need to specify those attributes in a comma-separated format: severity,source_address,source_category,source_subcategory.

    Important: You can obtain the event attribute names in BMC Helix Operations Management, by exporting any event data in JSON, BAROC, XML, or CSV format. The exported file contains all attributes of the event data, and from there you can identify the attributes to be dropped. 

    Events FiltersEvents filters help remove unwanted data and send only the required events to BMC Helix applications. The data is filtered by using the regular expression (regex) provided for host, message, and detailed message and is sent to BMC Helix applications.
    Host RegexErrorThe referenced document [xwiki:Helix-Common-Services.Intelligent-Integrations.BMC-Helix-Intelligent-Integrations.bhii261.Integrating-by-using-BMC-Helix-Intelligent-Integrations.Integrating-with-AWS-CloudWatch] was not found.
    Message RegexSpecify the regex for the event message. Messages for the events that match the regex are sent to BMC Helix applications.
    Examples:
    • To send events whose messages contain the string HRV alert, specify the regex as .*HRV alert*.
    • To filter out the events whose message contains the string HRV alert, specify the regex as ^(?!.*HRV alert).*.
    • To send events whose message starts with the string HRV alert, specify the regex as ^(HRV alert).*. 
    Important:
    If you are using multiple regex, make sure that the regex do not conflict.
    For example, do not enter .*HRV alert.* and ^(?!.*HRV alert).* together. The former regex sends events whose message contains the string HRV alert, while the latter regex sends events whose message do not contain the string HRV alert.
    Detailed Message RegexSpecify the regex for the detailed message. Detailed messages for the events that match the regex are sent to BMC Helix applications.
    Examples:​​
    • To send events whose detailed message contains the string ci_display_name: easyTravel-k8s, specify the regex as .*ci_display_name: easyTravel-k8s.*.
    • To filter out the events whose detailed message contains the string ci_display_name: easyTravel-k8s, specify the regex as ^(?!.*ci_display_name: easyTravel-k8s).*.
    • To send the events whose detailed message starts with the string ci_display_name: easyTravel-k8s, specify the regex as ^(ci_display_name: easyTravel-k8s).*.
    Important:
    If you are using multiple regex, make sure that the regex do not conflict.
    For example, do not enter .*ci_display_name: easyTravel-k8s.* and ^(?!.*ci_display_name: easyTravel-k8s).* together. The former regex sends events whose detailed message contains the string ci_display_name: easyTravel-k8s, while the latter regex sends events whose message do not contain the string ci_display_name: easyTravel-k8s.
  11. Click CREATE COLLECTORS to create the required collector stream for the selected data type.
  12. Configure the distributors for the selected data type by clicking the data type in the Distributors section and specifying the parameters for the selected data type, as explained in the following table:
  13. Click CREATE DISTRIBUTORS to create the required distributor stream for the selected data type.
  14. Click VALIDATE AND CREATE and then click SAVE STREAM to save the stream.
    After you save the stream, the connector that you just created is listed on the SOURCES panel.
  15. On the SOURCES panel, click Configure Mediator ConfigureMediator_icon.pngfor the source connection that you created and then expand SPLUNK EVENTS WEBHOOK.
  16. Click copy copy_URL.png to copy the auto-generated Spulnk webhook collector URL and save it in a temporary file.
    For example, https://hostA/hii/api/mediator/v3/push/9mn-6c97-4c2e-8pc5-12c0asdf?token=API-KEY.
  17. Depending on whether you are using only a SaaS deployment of BMC Helix Intelligent Integrations or BMC Helix Intelligent Integrations on-premises gateway, perform the following steps:
    1. If you are using only SaaS deployment of BMC Helix Intelligent Integrations or the on-premises gateway with authentication enabled, perform the following steps:
      1. Log on to BMC Helix Portal and generate an access key.
        For instructions, see Setting up access keys for programmatic access
      2. Copy the generated access key and save it in a temporary file.
        The key is generated in the format: <accessKey>::<secretKey>,tenant id:<tenantID>.
        For example, Y40OSC49QZA11Q8A1H9H6::MnVLk69TNyCEponsthHJ1Hj1uKcjTB,tenant id:385261281
      3. Change the format of the access key to <tenantID>::<accessKey>::<secretKey>.
        For example, 385261281::Y40OSC49QZA11Q8A1H9H6::MnVLk69TNyCEponsthHJ1Hj1uKcjTB
      4. In a temporary file, modify the auto-generated collector URL by replacing API-KEY with the access key that you formatted in the previous step.
        For example, https://host.ab.com/hii/api/mediator/v3/push/9mn-6c97-4c2e-8pc5-12c0asdfd?
        token=385261281::Y40OSC49QZA11Q8A1H9H6::MnVLk69TNyCEponsthHJ1Hj1uKcjTB
      5. (If you are collecting data in a high-availablity environment and using load balancers) Replace the host name with the DNS record that you have created for the virtual IP (VIP). For example, if the DNS record is named VIP_HII, the updated collector URL looks like the following:
        https://VIP_HII/hii/api/mediator/v3/push/9mn-6c97-4c2e-8pc5-12c0asdfd?
        token=385261281::Y40OSC49QZA11Q8A1H9H6::MnVLk69TNyCEponsthHJ1Hj1uKcjTB        .
        For more information about collecting data in a high availablity environment, see Configuring the on-premises gateway for high availability on Docker and Podman containers.
      6. Configure Splunk to forward incidents data to BMC Helix Intelligent Integrations.
    2. If you are using the on-premises gateway with authentication disabled, perform the following steps:
      1. Save the URL in a temporary file.
      2. Remove the following string from the collector URL:?token=API-KEY
        The updated collector URL looks like the following example:
        https://hostA/hii/api/mediator/v3/push/9mn-6c97-4c2e-8pc5-12c0asdf
      3. (If you are collecting data in a high-availablity environment and using load balancers) Replace the host name with the DNS record that you have created for the VIP. For example, if the DNS record is named VIP_HII, the updated collector URL looks like the following:
        https://VIP_HII/hii/api/mediator/v3/push/9mn-6c97-4c2e-8pc5-12c0asdf
        For more information about collecting data in a high availablity environment, see Configuring the on-premises gateway for high availability on Docker and Podman containers.
      4. Configure Splunk to forward incidents data to BMC Helix Intelligent Integrations.
  18. On the SOURCES panel, move the slider to the right to start the event stream for the connector.
    Warning
    Important

    For a data stream, the Run Latency (max/avg), Items (Avg per Run), and Last Run Status columns on the Streams page might show the status as No Runs during the data collection process. After completion of the process, these columns are updated with an appropriate status.

Task 2: To configure Splunk Enterprise to forward events data to BMC Helix Intelligent Integrations

  1. Log on to Splunk Enterprise.
  1. On the Alerts tab, select Edit > Edit Alerts for the alerts that you want to configure.
  2. Depending on whether you are using only SaaS deployment of BMC Helix Intelligent Integrations or the on-premises gateway, in the Trigger Actions section, copy the collector URL that you modified in step 13 and paste it as the default value of the parameter, enclosed in double quotes.
  3. Click Save to save the alert.
  4. Select Edit > Enable, and then click Enable to enable the alert that you have edited.
  5. Go to step 15 to start the event stream.

Task 3: To verify the connection

From BMC Helix Intelligent Integrations, on the SOURCES panel, confirm that the event stream for the connection you created is running. 

SplunkWebhook_EventsStream_243.png

A moving blue arrow (EventsStream_Icon.png) indicates that the event stream is running. Event data will be pushed as soon as events are available.

Task 4: To view data in BMC Helix applications

View data collected from Splunk in multiple BMC Helix applications.

To view events in BMC Helix Operations Management

  1. In BMC Helix Operations Management, select Monitoring > Events.
  2. Filter the events by the SplunkEvent class.
    SplunkEvents.png

Incoming events from Splunk are processed in BMC Helix Operations Management through a set of deduplication rules to determine whether the incoming event is a duplicate event or a new event. For more information, see Event deduplication, suppression, and closure for reducing event noise.

For more information about events, see Monitoring and managing events.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC Helix Intelligent Integrations 26.1