Creating Splunk alerts for BMC Helix Operations Management events by using Jitterbit Harmony

BMC Helix iPaaS, powered by Jitterbit provides a pre-built integration template to create Splunk alerts for events created in BMC Helix Operations Management. To use the integration template with the values defined out of the box, you update the project variables with details of your systems and deploy the integration template. 

The integration template provides the following capabilities: 

Use case

BMC Helix Operations Management to Splunk

Create a new alert 

Creates a new alert in Splunk when an event is generated in BMC Helix Operations Management

Update an alert

Updates an alert in Splunk when the corresponding BMC Helix Operations Management event is updated

Disable alerts

Disables alerts in Splunk when the corresponding BMC Helix Operations Management event status is updated to Closed

After you deploy the integration template, Splunk alerts are created or updated when an event in BMC Helix Operations Management is created, updated, or closed. Splunk alerts are sent for any updates made in the corresponding event in BMC Helix Operations Management.

BMC Helix Operations Management to Splunk data flow

The following image gives an overview of the data flow for creating or updating a Splunk alert from a BMC Helix Operations Management event:

JB_HOM_Splunk_create_update_alert.png

The following image gives an overview of the data flow for disabling a Splunk alert when a BMC Helix Operations Management event is closed:

JB_HOM_Splunk_disable_alert.png

Before you begin

Required versions

  • BMC Helix Operations Management version 20.08 or later
  • Splunk version 8.1 or later

Authentication and permissions

  • Access to a Splunk account
  • Access to create and update events in BMC Helix Operations Management

Jitterbit Harmony subscription

A valid BMC Helix iPaaS subscription

Task 1: To generate the secret key and ID for BMC Helix Operations Management

  1. Log in to BMC Helix Portal.
  2. Select Common Services > User Management.
  3. Log in to BMC Helix Operations Management.
  4. On the API users tab, click Add API User.
  5. Enter the following details required for the API user:
    • API username
    • Description
    • Key expiry
  6. Click Confirm

  7. Copy the Secret Key, API Key, and Tenant ID values. 

    Important

    You can copy the access key, and secret key only when they are generated. After that they are stored in an encrypted format and cannot be copied. If you do not copy the values when they are generated or if you lose them, you must generate a new one.

These values are required to r egister  BMC Helix iPaaS  with your BMC Helix Operations Management instance. For more information about generating the tenant ID, access key, and secret key, see Setting up user level API keys.

Task 2: To download and import the integration template project file

  1. Download the Sync BMC Helix Operations Management Events with Splunk Alerts 2022-07-01 project file to your system.
    This file contains the BMC Helix iPaaS Integration Studio project Sync BMC Helix Operations Management Events with Splunk Alerts.

    Important

    Your ability to access product pages on the EPD website is determined by the license your company purchased.

  2. As a developer, log in to BMC Helix iPaaS and navigate to the Integration Studio.
  3. On the projects page, click Import.
  4. Click Browse to navigate to and select the Sync BMC Helix Operations Management Events with Splunk Alerts 2022-07-01 file you downloaded. 
    The Project Name and Organization fields are automatically populated depending on the values defined. 
  5. From the Environment list, select the environment to which you want to import this integration template, and click Import.
    The project opens after the integration template is imported.
  6. To open the project file at a later time, select the environment where the integration templates are available, select the Sync BMC Helix Operations Management Events with Splunk Alerts project and click View/Edit.

Task 3: To update the project variables for the integration template

  1. Next to the Environment name, click the ellipses ... and select Project Variables.
  2. Update the following project variables:

    • Access points and authentication details for Splunk and BMC Helix iPaaS applications

      Project variable

      Value

      Splunk

      splunk_url

      Enter the Host URL or IP address for Splunk The host URL or IP address must use the HTTPS protocol.

      splunk_username

      Enter the user ID to access Splunk.

      splunk_password

      Enter the Password of the user to access Splunk.

      splunk_port

      Enter the Port number for the Splunk URL.

      BMC Helix Operations Management

      hom_server_url

      Enter the RestAPI URL of the BMC Helix Operations Management instance.

      hom_tenant_id

      Enter the Tenant ID of the API user created to access BMC Helix Operations Management in Task 1.

      hom_access_key

      Enter the access key generated for BMC Helix Operations Management in Task 1.

      hom_secret_key

      Enter the secret key generated for the access key in Task 1.

      hom_webhook_name

      Name of the API Webhook for BMC Helix Operations Management.

      BMC Helix iPaaS

      BHIP_Url

      Enter the URL to access BMC Helix iPaaS.

      BHIP_User

      Enter the user ID to access BMC Helix iPaaS.

      BHIP_User_Password

      Enter the password of the user ID to access BMC Helix iPaaS.

    • Webhook API variables

      Project variables

      Value

      BHIP_Hom_Webhook_Action

      Enter the actions to create or update a Webhook on BMC Helix Operations Management.

      Valid values include CREATE and UPDATE.

      BHIP_Project_Name

      Enter the name of project imported used to create the Webhook API.

      BHIP_Operation_Name

      Enter the name of the operation to trigger when the Webhook API is triggered.

      This value is added to the BMC Helix iPaaS Jitterbit API. By default, the value is set to Integration API Flow Controller.

      BHIP_Integration_API_Name

      Enter the name for the Webhook API that is created in 

      BMC Helix Platform

      .By default, this value is set to HomToSplunkTemplate.

      BHIP_Integration_API_Method

      Enter the RestAPI method that is used by the Webhook API.

      This value is added to the BMC Helix iPaaS Jitterbit API.

      Valid values include:

      • POST (Default)
      • GET
      • PUT
      • DELETE

      BHIP_Integration_API_Response_Type

      Enter the RestAPI response type used by the Webhook API created. This value is added in the 

      BMC Helix iPaaS

       Jitterbit API. 
      By default, set to VARIABLE.

      BHIP_Integration_API_Security_Profile_Type

      Enter a security profile type. 

      You can set the following values for this variable:

      • BASIC
      • APIKEY
      • ANONYMOUS

      The default value is BASIC.

      Enter comma separated values to select multiple profile types (ANONYMOUS,BASIC). 

      A security profile type defines the authentication type to be used by the Webhook API while accessing BMC Helix Operations Management. This value is added in the BMC Helix iPaaS Jitterbit API.

      Important:

      • For profile types supported by the ITSM application, the security profiles are automatically created by the integration template when you enable the integration. 
      • BMC Helix iPaaS does not support OAuth authentication for this application.

      BHIP_Integration_API_Security_Profile_Name_Suffix

      Enter the suffix to be added to the name of security profiles created.

      BHIP_Integration_API_Security_Profile_BASIC_Auth_Username

      For security profile type BASIC, enter the user name to be used to create the security profile.
      The Jitterbit API and the Webhook API use this user name for authentication while accessing BMC Helix Operations Management.

      BHIP_Integration_API_Security_Profile_BASIC_Auth_Password

      For security profile type BASIC, enter the password for the security profile created. 
      The Jitterbit API and the Webhook API use this password for authentication while accessing BMC Helix Operations Management.

      BHIP_Integration_API_Security_Profile_ApiKey_Name

      For security profile type APIKEY, enter the name of the APIKEY to be used for the security profile.

      The Jitterbit API and the Webhook API use this APIKEY for authentication while accessing BMC Helix Operations Management.

      BHIP_API_TimeOut

      Enter a value, in seconds, for an API timeout.

      The minimum value must range between 30 and 180. By default, the value is set to 90.

    • Field to save the Splunk alert name in BMC Helix Operations Management

      Project variable

      Value

      hom_correlation_field

      Enter the name of the BMC Helix Operations Management field to store the name of the corresponding alert in Splunk.

    • Email notification configurations

      Project variable

      Value

      BHIP_SMTP_Hostname

      Enter the SMTP host details for emails configuration.

      BHIP_To_Email_Address

      Enter the email address to which you want to send the notification emails.

      BHIP_From_Email_Address

      Enter the email address from which the notification emails should be sent.

      BHIP_Email_Enabled

      To disable email notifications, change the default value to false.

      By default, the value is set to true

      This value defines if notification emails should be sent.

      BHIP_Email_On_Success

      To disable email notifications for successful operations, set the value to false.
      By default, this value is set to true

      BHIP_Email_Data_Error

      Defines if emails should be sent if an error occurs in the data migration.

      By default, this value is set to true. To disable email notifications for errors, set the value to false.

Task 4: To deploy and enable the project

Deployment is a one-time activity that initializes the integration configurations. The UI displays a message for the deployment status.

To deploy the project and then enable the integration:

  1. To deploy the project, next to the project name, click the ellipsis ..., and select Deploy Project.
  2. To enable the integration, next to the Enable Integrations workflow, click the ellipsis ... for the Enable Integration operation, and select Run

The following image shows the steps to deploy the project and enable it by running the operation:

221_JB_Deploy and enable project_Oct23.png

After you enable the integration, when a new event with details matching the event criteria defined is created in BMC Helix Operations Management, a corresponding Splunk alert is generated. The alert is updated when the corresponding event is updated in BMC Helix Operations Management.

(Optional) Task 5: To set the time for API debug mode

By default, the debug mode is set to 2 hours after you run the integration. Debug logs are updated for the time set for the debug mode. To increase the debug mode for a longer period of time, perform the following steps:

  1. In BMC Helix iPaaS, powered by Jitterbit, select API Manager > My APIs.
  2. Open the API created for the integration. The API name is the value defined in the BHIP_Integration_API_Name project variable.
  3. Select Enable Debug Mode Until: and set it for the required date and time.
  4. Save and publish the API.

(Optional) Task 6: To update the default event criteria for triggering a Splunk alert

Splunk alerts are generated for events that match the event policies defined in BMC Helix Operations Management. By default, the event policy is defined to perform actions for events with severity set to critical, alerts are generated for any new event with Severity set to Critical. To change the criteria for generating a Splunk alert for an event, update the event policy and update the Event Selection Criteria

For more information about updating event policies, see Defining event policies for enrichment, correlation, notification, and suppression

Workflows included in the integration template

The integration template includes workflows for the basic configuration and each integration use case. The following tables describe the operations defined in each workflow. 

Enable Integration

This workflow defines the operations required to enable the integration after all the required project configurations are completed. The following operations are included in this workflow:

Operation name

Actions performed

Enable Integration

Initializex the integration

BHIP Login

Logs in to BMC Helix iPaaS by using the credentials provided in the project variables

Check Custom API and Security Profiles exist

Verifies if any custom APIs or security profiles exist for the BMC Helix Operations Management integration

Publish Custom API

Publishes the BMC Helix iPaaS  Jitterbit API

Create Security Profiles and Custom API

Creates the security profiles and RestAPIs in BMC Helix iPaaS

Delete API and Security Profile if needed

Deletes existing APIs or security profiles, if required

Sync HOM to Splunk

This workflow creates or updates a Splunk alert when an event is created or the corresponding event is updated in BMC Helix Operations Management. The following operations are included in this workflow:

Operation name

Actions performed

Integration API Flow Controller

Enables all the API entry points by using the details provided in the project variables

Parse the Source Payload

Gets details of the BMC Helix Operations Management event to create an alert in Splunk

Create alert in Splunk

Creates an alert in Splunk corresponding to a new event created in BMC Helix Operations Management

Update alert in Splunk

Updates the Splunk alert when the corresponding event is updated in BMC Helix Operations Management

Disable alert for closed Event

Disables the Splunk alert when the status of the corresponding event is changed to Closed

Update HOM with alertName

Adds the Splunk alert name to the BMC Helix Operations Management field defined in the hom_correlation_field project variable for the corresponding event

HOM API Response

Sends the API response to BMC Helix Operations Management

Failure notification

Sends an email notification if alert creation or update fails

HOM Webhook

This workflow is called through Enable Integration workflow and registers the Webhook on BMC Helix Operations Management.

Operation name

Actions performed

HOM Webhook Operations

Initiates the Webhook operations based on the operations performed

HOM Get Webhooks

Gets the BMC Helix Operations Management Webhook

HOM Delete Webhook

If a Webhook with the same name is provided in the hom_webhook_name project variable, deletes that Webhook  

HOM Register Webhook

Generates the Webhook in BMC Helix Operations Management

HOM Get Refresh Token

Generates a token for the access key, secret key, and tenant ID and passes it to the HOM Get JWT operation

HOM Get JWT Token

Generates a JSON web token (JWT) token based on the refreshed token received from HOM Get Refresh Token

HOM Get API Key

Gets the BMC Helix Operations Management API Key required to execute Webhook

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*