Splunk captures, indexes, and correlates real-time application, security and compliance data in a searchable repository from which it can generate alerts, dashboards, and visualizations.

Verified on Splunk version: 8.0

OpsRamp configuration

Step 1: Install the integration

  1. Select a client from the All Clients list.
  2. Go to Setup > Integrations > Integrations.
  3. From Available Integrations, select Monitoring > Splunk.
  4. Click Install.

Step 2: Configure the integration

  1. From the API tab, enter:
    • Authentication: Copy Tenant Id, Token and Webhook URL for configuration. These settings are used for creating a HTTP Request template.
    • Map Attributes: Enter the mapping information for the third-party.
  2. From the Monitoring of Integration tab, click Assign Templates.
  3. From the Audit Logs, set up audit log criteria and time frame.

Configuring the map attributes

  1. Select the required OpsRamp property from the drop-down.
  2. Click Add Mapping Attributes to map attributes for the specific OpsRamp alert property.
  3. Click + to define the mappings.
  4. From Create Alert Mappings on Status, define the mappings, parsing conditions, and default values, and Save.

Attributes can be modified at any time.

The following table shows attribute mappings.

Third-Party EntityOpsRamp EntityThird-Party PropertyOpsRamp PropertyThird-Party Property ValueOpsRamp Property Value
EventAlertresult.statusalert.currentState200Ok
EventAlertresult.statusalert.currentState400Warning
EventAlerturi_queryalert.serviceName
EventAlertsearch_namealert.description
EventAlertresult.clientipalert.deviceName
EventAlertresult.req_timealert.alertTime
EventAlertsearch_namealert.subject

Splunk configuration

Step 1: Configure webhook for search and reporting

  1. Log into Splunk Admin UI.
  2. From the left pane of Splunk Cloud Home, click Search & Reporting.
  3. Click Save As and from the drop-down options, click Alert.
  4. Perform the following:
    1. Enter details as required.
    2. For Trigger Actions, click Add Actions and from the drop-down options select Webhook.
    3. For Webhook, enter the server URL to connect.
    4. Click Save.

Step 2: Configure webhook for the monitoring Console

  1. From Splunk Cloud Home, click Settings, Monitor Console. Open in Search for required statistics, performance, or usage.
  2. Click Save As, Alert.
  3. Enter the alert details, webhook URL, and save the alert.

Example request payload

{
"owner":"eswaropsramp",
"sid":"scheduler__eswaropsramp__search__RMD5a012f6d028c57497_at_1570182600_80",
"app":"search",
"results_link":"<https://prd-p-kxc7q86hbsqw.cloud.splunk.com/app/search/@go?sid=scheduler__eswaropsramp__search__RMD5a012f6d028c57497_at_1570182600_80>)",
"search_name":"Week toDate",
"result":{
"method":"GET",
"cookie":"",
"Internal":
{
"test":{
"name":"Test"
}
},
"_kv":"1",
"clientip":"91.208.184.24",
"sourcetype":"access\_combined\_wcookie",
"_si":\[
"prd-p-kxc7q86hbsqw",
"main"
],
"date_hour":"8",
"version":"1.1",
"_eventtype_color":"",
"uri_path":"/category.screen",
"productId":"",
"date_mday":"2",
"eventtype":"",
"itemId":"EST-11",
"splunk_server_group":"",
"root":"",
"uri_domain":"",
"referer":"[http://www.buttercupgames.com/oldlink?itemId=EST-11](http://www.buttercupgames.com/oldlink?itemId=EST-11)",
"timestartpos":"19",
"file":"category.screen",
"uri":"/category.screen?categoryId=ACCESSORIES&JSESSIONID=SD4SL7FF1ADFF50438",
"splunk_server":"prd-p-kxc7q86hbsqw",
"user":"-",
"categoryId":"ACCESSORIES",
"timeendpos":"39",
"_cd":"0:201776",
"bytes":"2396",
"date_wday":"wednesday",
"date_zone":"local",
"ident":"-",
"index":"main",
"useragent":"Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; BOIE9;ENUS)",
"_serial":"0",
"_sourcetype":"access_combined_wcookie",
"_bkt":"main~0~B9626C15-AE58-49B8-8B5B-AF85CD3F65CB",
"source":"tutorialdata.zip:./www1/access.log",
"status":"200",
"tag":"",
"date_month":"october",
"_raw":"91.208.184.24 - - [02/Oct/2019:08:47:48\] " GET /category.screen?categoryId=ACCESSORIES&JSESSIONID=SD4SL7FF1ADFF50438 HTTP 1.1" 200 2396 "[http://www.buttercupgames.com/oldlink?itemId=EST-11](http://www.buttercupgames.com/oldlink?itemId=EST-11)" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; BOIE9;ENUS)" 614",
"linecount":"1",
"punct":"..._-_-_[//:::]_"_/.?=&=__."___"://../?=-"_"/._(;_",
"tag::eventtype":"",
"_time":"1570006068",
"uri_query":"categoryId=ACCESSORIES&JSESSIONID=SD4SL7FF1ADFF50438",
"date_minute":"47",
"date_year":"2019",
"req_time":"02/Oct/2019:08:47:48",
"host":"127.0.0.1",
"action":"",
"other":"614",
"referer_domain":"[http://www.buttercupgames.com](http://www.buttercupgames.com/)",
"date_second":"48",
"JSESSIONID":"SD4SL7FF1ADFF50438",
"_indextime":"1570096125"
}
}

Next steps

  • View alerts in OpsRamp
    1. From Workspace drop-down options at OpsRamp Console, go to Alerts and on the Alerts page, search with the Source name as Splunk. Related alerts are displayed.
    2. Click an Alert ID to view.