Creating incidents for Splunk alerts via BMC Helix iPaaS, powered by Jitterbit

As an administrator, you can integrate BMC Helix ITSM with Splunk to synchronize Splunk alerts with BMC Helix ITSM incidents. When an alert is generated in Splunk, a corresponding incident is created in BMC Helix ITSM, enabling administrators to manage Splunk alerts in BMC Helix ITSM.

BMC Helix Multi-Cloud Broker, along with BMC Helix iPaaSprovides an out-of-the-box integration template that you use to integrate BMC Helix ITSM and Splunk. You configure the integration in BMC Helix Multi-Cloud Broker and deploy the integration template to your BMC Helix iPaaS environment.

Use case	Splunk to BMC Helix ITSM	BMC Helix ITSMto Splunk
Create tickets	Creates a BMC Helix ITSM incident for a Splunk alert. Important: A Splunk alert is generated based on the search criteria and saved as an Alert. If you have defined multiple alerts, a single BMC Helix ITSM incident is created for each alert. The BMC Helix ITSM incident number is added to the Splunk alert Description field.	Not supported
Synchronize updates	Updates the vendor data in BMC Helix Multi-Cloud Broker when a Splunk alert is created. You can then view the Splunk alert details in the BMC Helix ITSM UI.	Not supported
Synchronize statuses	Not supported	Clears all triggered alerts listed in the Splunk alert and removes the BMC Helix ITSM incident number from the Splunk alert Description field when the BMC Helix ITSM incident is closed

Splunk to BMC Helix ITSM data flow

The following image gives an overview of the data flow for creating or updating a BMC Helix ITSM for a Splunk alert:

22.1_ITSM_Splunk.png

BMC Helix ITSM to Splunk data flow

The following image gives an overview of the data flow for deleting triggered alerts in Splunk when the corresponding BMC Helix ITSM incident is closed:

22.1_ITSM_Splunk_clear_alert.png

Before you begin

You require the following items to successfully set up and use this integration:

Required versions	BMC Helix ITSM version 20.08 and later
Authentication and permissions	Access for Splunk users to the Rest API servers in Splunk Administrator access for BMC Helix Innovation Studio, BMC Helix Multi-Cloud Broker and BMC Helix ITSMusers to run this integration
Subscription	A valid BMC Helix iPaaS, powered by Jitterbit subscription
Limitation	Duplicate alerts with the same condition should not exist in Splunk

Task 1: To configure the integration

Log in to BMC Helix iPaaS.
On Workspace, click Multi-Cloud Broker.
To launch BMC Helix Multi-Cloud Broker, click Visit Deployed Application.
Tip
Access BMC Helix Multi-Cloud Broker directly by entering the URL https://hostName:portNumber/helix/index.html#/com.bmc.dsm.mcsm/login and logging in as a tenant administrator.
Click Settings .
Select Start Here > Quick Configuration Guide.
The Quick Configuration Guide page is displayed.
On the Step 1: Choose configuration tab, and perform the following steps:
Important
In Choose Configuration, Helix iPaaS (powered by Jitterbit) is selected by default. Do not change this value.
1. Under Events and SecOps, select Splunk Alert to ITSM Incident.
1. Click Next.

On the Step 2: Perform configurations tab, perform the following steps:

Add an operating organization, if you have not already done so.
Add Splunk as the vendor organization, if you have not already done so.

To add the vendor metadata, click Map vendors and perform the following steps:

On the Map Vendors page, click Map Vendor.

Complete the fields as described in the following table:

Field	Action
Description	Enter a description for the vendor metadata configuration.
Ticketing Technology Provider	From the list, select Splunk.
(Optional) Instance Name	If you are using multiple instances of Splunk, enter the name of the instance that you are using for this integration.
Add Mapping	After you select the ticketing technology provider, click Add Mapping. BMC Helix Multi-Cloud Broker displays the default values in the Instance URL field and the Display Field Mapping section.
Instance URL	If you have clicked Add Mapping, this field is auto-populated with a default URL. Update the instance URL value in the default URL. The default value of this variable is https://{instanceUrl}/Splunk/app.do#alertDetailsReportPlace:{alertId}/overview. For example, update the default value to https://Splunk.bmc.com/Splunk/app.do#alertDetailsReportPlace:{alertId}/overview.
Process Name	Enter a name for the process that is created in BMC Helix Innovation Studio. The default value of this variable is com.bmc.dsm.ticket-brokering-lib:Connector Process Splunk for {description}.
Display Field Mapping	By default, the basic Splunk fields are mapped in this section. If you want to map additional fields to be displayed in the BMC Helix ITSM UI, add the relevant mappings by clicking .
Integration Platform	Select Jitterbit.

Click Save.

To fetch incidents from BMC Helix ITSM, click Define filter criteria to fetch records from ITSM to Helix Multi-Cloud Broker for incident, and perform the following steps:
1. To select the filter criteria, click Advanced filter.
2. Select the filters from the available fields, and click Next.
  The query filter expression is displayed. By default, the AND qualifier is applied when you select multiple filter criteria.
3. To change the qualifier for your filters, update the query, and then click Save.
  Important
  Make sure that you enter a valid query with available fields and values.
4. Click Close.
  When an incident matches the operation and filter that you have selected, the system fetches that incident to BMC Helix Multi-Cloud Broker.
In the Configure Splunk integration section, refer to the configuration steps listed and select the check boxes as you complete each step.
Click Save.

Task 2: To download and import the integration template project file

Download the Create BMC Helix ITSM incident from Splunk alerts Update 2022-10-01 file.
This file contains the BMC Helix iPaaS Integration Studio project Create BMC Helix ITSM incident from Splunk alerts.
Important
Your ability to access product pages on the EPD website is determined by the license your company purchased.
Log in to BMC Helix iPaaS and navigate to Integration Studio.
Select your organization.
On the projects page, click Import.
Click Browse and then select the Create BMC Helix ITSM incident from Splunk alerts.json file that you downloaded from the Electronic Product Distribution site.
The Project Name and Organization fields are automatically populated. The default project name is displayed, but you can change it, as needed.
From the Environment list, select the environment to which you want to import this integration template, and click Import.
The project opens after the integration template is imported.
To open the project file at a later time, select the environment where the integration templates are available, select the project name, and click View/Edit.

Task 3: To update the project variables for the integration template

Next to the Environment name, click the ellipsis ... and select Project Variables.

Update the project variables as described in the following tables:

BMC Helix iPaaS project variables:

Project variable	Action
BHIP_API_Name	Enter the name of the API that is created in BMC Helix iPaaS to receive BMC Helix Multi-Cloud Brokerwebhook requests. The default value of this variable is SplunkAPIName. Do not change the name.
BHIP_API_User_Roles	Specify the organization roles that should have access to the new API. You can add multiple, comma separated values. Important: If you do not specify any value, all the organization roles get access to the new API.
BHIP_MCB_API_Profile_User_Name	Enter the user name that should be used while creating the BMC Helix Multi-Cloud Broker API profile. The integration template creates an API in BMC Helix iPaaS to handle requests from BMC Helix Multi-Cloud Broker.
BHIP_MCB_API_Profile_User_Password	Enter the password that should be used while creating the BMC Helix Multi-Cloud Broker API profile. The integration template creates an API in BMC Helix iPaaS to handle requests from BMC Helix Multi-Cloud Broker.
BHIP_Vendor_API_Profile_ApiKey_Name	Enter the APIKEY name for the security profile that you want to use with the vendor API. Important: Provide a value for this variable only if you select the APIKEY option in BHIP_Vendor_API_Profile_Type.
BHIP_Vendor_API_Profile_Type	The integration templates create APIs to accept requests from a vendor. Enter one of the following API authentication mechanisms that you want to use with this API: BASIC ANONYMOUS APIKEY The default value of this variable is BASIC.
BHIP_Vendor_API_Profile_User_Name	Enter the user name for the security profile that you want to use with the vendor API. Important: Provide a value for this variable only if you select the BASIC option in BHIP_Vendor_API_Profile_Type.
BHIP_Vendor_API_Profile_User_Password	Enter the password for the security profile that you want to use with the vendor API. Important: Provide a value for this variable only if you select the BASIC option in BHIP_Vendor_API_Profile_Type.
BHIP_Host	Enter the BMC Helix iPaaSinstance URL where you want to run this project. Important: Make sure that you do not enter any leading and trailing spaces.
BHIP_User_Name	Enter the user name for the BMC Helix iPaaS instance.
BHIP_User_Password	Enter the password for the BMC Helix iPaaS instance.
Enable_BMC_Helix_To_Vendor_Integration	Enable the updates of Splunk alerts from BMC Helix ITSM incidents. By default, this variable is set to true. If you want to disable the updates of Splunk alerts from BMC Helix ITSM incidents, set the default value to false.
Enable_Vendor_To_BMC_Helix_Integration	Enable the creation of BMC Helix ITSM incidents from Splunk, and synchronization of updates and comments. By default, this variable is set to true. If you want to disable the creation of BMC Helix ITSM incidents from Splunk, and synchronization of updates and comments, set the default value to false.

Splunk variables:

Project variable	Action
Splunk_Alert_Name	Enter the name of the Splunk alerts for which an incident should be created. To add multiple values, use a comma separated list.
Splunk_Host	Enter the Splunk instance URL where you want to run this project.
Splunk_Port	Enter the port number for the Splunk URL.
Splunk_User_Name	Enter the user name to access Splunk.
Splunk_User_Password	Enter the password for the Splunk user.

BMC Helix Multi-Cloud Brokerproject variables:

Project variable	Action
MCB_Host	Enter the BMC Helix Multi-Cloud Broker host URL to which Splunk alerts should be synchronized.
MCB_User_Name	Enter the user name that enables users to interact with BMC Helix Multi-Cloud Broker.
MCB_User_Password	Enter the password for the provided user name.
MCB_Vendor_Name	Enter the value in the following format for multiple instances of Splunk: Splunk.<Instance name> The instance name in the format is the name you entered in the Instance Name field while configuring vendor metadata.
MCB_Assigned_Group	Enter the name of the support group to which you want to assign the incident.
MCB_Assigned_Support_Organization	Enter the name of the support organization to which you want to assign the incident.
MCB_Assigned_Support_Company	Enter the name of the support company to which you want to assign the incident.
MCB_Assigned_Company	Enter the name of the company for which you want to create the incident.
MCB_Assigned_Company_Id	Enter the ID of the company for which you want to create the incident.
MCB_Assigned_Business_Unit	Enter the name of the business unit to which you want to assign the incident.

The following variables are inputs from BMC Helix ITSM. Either enter values for these variables or map appropriate Splunk fields if the data is available:

Project variable	Action
ITSM_Company_Name	Enter the company name for which the integration template needs to be run; for example, Apex Global.
ITSM_Customer_First_Name	Enter the first name of the BMC Helix ITSM customer.
ITSM_Customer_Last_Name	Enter the last name of the BMC Helix ITSM customer.
ITSM_Incident_Type	Enter any of the following incident types for which you want to create a Splunk alert: User Service Restoration User Service Request Infrastructure Restoration Infrastructure alert Security Incident Splunk alerts are generated only for the incidents of the types defined in this variable. The default value of this variable is User Service Restoration.

Task 4: To deploy and enable the project

Deployment is a one-time activity that initializes the integration configurations. The UI displays a message for the deployment status.

To deploy the project and then enable the integration:

To deploy the project, next to the project name, click the ellipsis ..., and select Deploy Project.
To enable the integration, next to the Enable Integrations operation, under 2.0 Integrations workflow, click the ellipsis ..., and select Run.

The following image shows the steps to deploy the project and enable it by deploying the workflow:

221_JB_Deploy and enable project_Oct 2022.png

After you enable the integration, when an alert is generated in Splunk, a corresponding incident is created in BMC Helix ITSM. The alert details are displayed in the incident. When the incident is closed, updates for the alert are disabled.

(Optional) Task 5: To set the time for API debug mode

By default, the debug mode is set to 2 hours after you run the integration. Debug logs are updated for the time set for the debug mode. To increase the debug mode for a longer period of time, perform the following steps:

In BMC Helix iPaaS, select API Manager > My APIs.
Open the BMC_Helix_ITSM_Incident_And_Splunk_alert_Vendor_To_MCB API.
Select Enable Debug Mode Until: and set it for the required date and time.
Save and publish the API.