Creating incidents for Splunk alerts via BMC Helix iPaaS, powered by Jitterbit

As an administrator, you can integrate BMC Helix ITSM with Splunk to synchronize Splunk alerts with BMC Helix ITSM incidents. When an alert is generated in Splunk, a corresponding incident is created in BMC Helix ITSM, enabling administrators to manage Splunk alerts in BMC Helix ITSM.

BMC Helix Multi-Cloud Broker, along with BMC Helix iPaaS, powered by Jitterbit provides an out-of-the-box integration template that you use to integrate BMC Helix ITSM and Splunk. You configure the integration in BMC Helix Multi-Cloud Broker and deploy the integration template to your BMC Helix iPaaS environment.

This integration provides the following capabilities:

Use case	DevOps integration capabilities
Create tickets	Create a BMC Helix ITSM incident for a Splunk alert. Important: A Splunk alert is generated based on the search criteria and saved as an Alert. If you have defined multiple alerts, a single BMC Helix ITSM incident is created for each alert. The BMC Helix ITSM incident number, is added to Splunk alert Description field.
Synchronize updates	When a Splunk alert is created, the vendor data in BMC Helix Multi-Cloud Broker is automatically updated. You can then view the Splunk alert details in the BMC Helix ITSMUI.
Synchronize updates	When the BMC Helix ITSMincident is closed, all triggered alerts listed in the Splunk alert are cleared, and the BMC Helix ITSM incident number is removed from the Splunk alert Description field.

The following image gives an overview of the capabilities that this integration supports:

iPaaS_ITSM and Splunk integration.png

Before you begin

Make sure you have the following items:

ValidBMC Helix iPaaS, powered by Jitterbit subscription.
The Create BMC Helix ITSM incident from Splunk alerts Update 2022-03-01 project file downloaded to your system from the BMC Helix Multi-Cloud Broker page on the Electronic Product Distribution site.
Access for Splunk users to the Rest API servers in Splunk.
Administrator access for BMC Helix Multi-Cloud Broker and BMC Helix ITSM users to run this integration.
Duplicate alerts with the same condition do not exist in Splunk.

View the Splunk alert details in the BMC Helix ITSM incident

After you implement the integration by using BMC Helix iPaaS, powered by Jitterbit, you can view the Splunk alert details in the corresponding BMC Helix ITSM incident.

Splunk to ITSM incident via JB.png

Data flow from Splunk to BMC Helix ITSM

iPaaS_ITSM to Splunk data flow.png

Task 1: To configure the integration

Log in to BMC Helix Innovation Studio.
On Workspace, click Multi-Cloud Broker.
To launch BMC Helix Multi-Cloud Broker, click Visit Deployed Application.
Tip
Access BMC Helix Multi-Cloud Broker directly by entering the URL https://hostName:portNumber/helix/index.html#/com.bmc.dsm.mcsm/login and logging in as a tenant administrator.
Click Settings .
Select Start Here > Quick Configuration Guide.
The Quick Configuration Guide page is displayed.
On the Step 1: Choose configuration tab, perform the following steps:
Important
In Choose Configuration, Helix iPaaS (powered by Jitterbit) is selected by default. Do not change this value.
1. Under Notifications, select ITSM Incident to Splunk Alert.
2. Click Next.

On the Step 2: Perform configurations tab, perform the following steps:

Add an operating organization, if you have not already done so.
Add Splunk as the vendor organization, if you have not already done so.

To add the vendor metadata, click Map vendors and perform the following steps:

On the Map Vendors page, click Map Vendor.

Complete the fields as described in the following table:

Field	Action
Description	Enter a description for the vendor metadata configuration.
Ticketing Technology Provider	From the list, select Splunk.
(Optional) Instance Name	If you are using multiple instances of Splunk, enter the name of the instance that you are using for this integration.
Add Mapping	After you select the ticketing technology provider, click Add Mapping. BMC Helix Multi-Cloud Broker displays the default values in the Instance URL field and the Display Field Mapping section.
Instance URL	Update the instanceUrl in the default URL. The default value of this variable is https://{instanceUrl}/Splunk/app.do#alertDetailsReportPlace:{alertId}/overview. For example, update the default value to https://Splunk.bmc.com/Splunk/app.do#alertDetailsReportPlace:{alertId}/overview.
Process Name	Enter a name for the process that is created in BMC Helix Innovation Studio. The default value of this variable is com.bmc.dsm.ticket-brokering-lib:Connector Process Splunk for {description}.
Display Field Mapping	By default, the basic Splunk fields are mapped in this section. If you want to map additional fields to be displayed in the BMC Helix ITSMUI, add the relevant mappings by clicking .
Integration Platform	Select Jitterbit.

Click Save.

In the Configure Splunk integration section, refer to the configuration steps listed and select the check boxes as you complete each step.
Click Save.

Task 2: To import the integration template project file

Log in to BMC Helix iPaaS and navigate to Cloud Studio.
Select your organization.
On the projects page, click Import.
Click Browse to navigate to and select the JSON file that you downloaded from the Electronic Product Distribution site.
The Project Name and Organization fields are automatically populated. The default project name is displayed, but you can change it, as needed.
From the Environment list, select the environment to which you want to import this integration template, and click Import.
The project opens after the integration template is imported.
To open the project file at a later time, select the environment where the integration templates are available, select the project name, and click View/Edit.

Task 3: To update the project variables for the integration template

Click the ellipsis ... next to the project name and select Project Variables.

Update the project variables as described in the following tables:

BMC Helix iPaaS project variables

Project variable	Action
BHIP_API_Name	Enter the name for API that is created in BMC Helix iPaaS to receive BMC Helix Multi-Cloud Broker webhook requests. The default value of this variable is SplunkAPIName. Do not change the name.
BHIP_API_User_Roles	Specify the organization roles that should have access to the new API. You can add multiple, comma separated values. Important: If you do not specify any value, all the organization roles get access to the new API.
BHIP_MCB_API_Profile_User_Name	The integration template creates an API in BMC Helix iPaaS to handle requests from BMC Helix Multi-Cloud Broker. Enter the user name that should be used while creating the BMC Helix Multi-Cloud Broker API profile.
BHIP_MCB_API_Profile_User_Password	Enter the password that should be used while creating the BMC Helix Multi-Cloud Broker API profile. The integration template creates an API in BMC Helix iPaaS to handle requests from BMC Helix Multi-Cloud Broker.
BHIP_Vendor_API_Profile_ApiKey_Name	Enter the APIKEY name for the security profile that you want to use with the vendor API. Important: Provide a value for this variable only if you select the APIKEY option in BHIP_Vendor_API_Profile_Type.
BHIP_Vendor_API_Profile_Type	The integration templates create APIs to accept requests from a vendor. Enter one of the following API authentication mechanisms that you want to use with this API: BASIC ANONYMOUS APIKEY
BHIP_Vendor_API_Profile_User_Name	Enter the user name for the security profile that you want to use with the vendor API. Important: Provide a value for this variable only if you select the BASIC option in BHIP_Vendor_API_Profile_Type.
BHIP_Vendor_API_Profile_User_Password	Enter the password for the security profile that you want to use with the vendor API. Important: Provide a value for this variable only if you select the BASIC option in BHIP_Vendor_API_Profile_Type.
BHIP_Host	Enter the BMC Helix iPaaS instance URL where you want to run this project. Important: Make sure that you do not enter any leading and trailing spaces.
BHIP_User_Name	Enter the user name for the BMC Helix iPaaS instance.
BHIP_User_Password	Enter the password for the BMC Helix iPaaS instance.
Enable_BMC_Helix_To_Vendor_Integration	By default, this variable is set to true. Important: This variable enables the updates of Splunk alerts from BMC Helix ITSMincidents.
Enable_Vendor_To_BMC_Helix_Integration	By default, this variable is set to true. Important: This variable enables the creation of BMC Helix ITSM incidents from Splunk, and synchronization of updates and comments.

Splunk variables:

Project variable	Action
Splunk_Alert_Name	Enter the name for the Splunk alerts for which an incident should be created. To add multiple values, use a comma separated list.
Splunk_Host	Enter the Splunk instance URL where you want to run this project.
Splunk_Port	Enter the port number for the Splunk URL.
Splunk_User_Name	Enter the user name to access Splunk.
Splunk_User_Password	Enter the password for the Splunk user.

BMC Helix Multi-Cloud Broker project variables:

Project variable	Action
MCB_Host	Enter the BMC Helix Multi-Cloud Broker host URL to which Splunk alerts should be synchronized.
MCB_User_Name	Enter the user name that enables users to interact with BMC Helix Multi-Cloud Broker.
MCB_User_Password	Enter the password for the provided user name.
MCB_Vendor_Name	This variable is autopopulated. Do not change the default value.

The following variables are inputs from BMC Helix ITSM. Either enter values for these variables or map appropriate Splunk fields if the data is available:

Project variable	Action
ITSM_Company_Name	Enter the company name for which the integration template needs to be run; for example, Calbro Services.
ITSM_Customer_First_Name	Enter the first name of the BMC Helix ITSM customer.
ITSM_Customer_Last_Name	Enter the last name of the BMC Helix ITSMcustomer.
ITSM_Incident_Type	Enter any of the following incident types for which you want to create a Splunk alert: User Service Restoration User Service Request Infrastructure Restoration Infrastructure alert Security Incident Splunk alerts are generated only for the incidents of the types defined in this variable. The default value of this variable is User Service Restoration.

Task 4: To deploy and enable the project

Deployment is a one-time activity that initializes the integration configurations. The UI displays a message for the deployment status.

The following image shows the steps to deploy the project and then enable it by deploying the workflow:

Image_enable integration workflow steps.png

(Optional) Task 5: To set the time for API debug mode

By default, the debug mode is set to 2 hours after you run the integration. Debug logs are updated for the time set for the debug mode. To increase the debug mode for a longer period of time, perform the following steps:

In BMC Helix iPaaS, powered by Jitterbit, select API Manager > My APIs.
Open the BMC_Helix_ITSM_Incident_And_Splunk_alert_Vendor_To_MCB API.
Select Enable Debug Mode Until: and set it for the required date and time.
Save and publish the API.