Splunk captures, indexes, and correlates real-time application, security and compliance data in a searchable repository from which it can generate alerts, dashboards, and visualizations.
Verified on Splunk version: 8.0
OpsRamp configuration
Step 1: Install the integration
- From All Clients, select a client.
- Go to Setup > Account.
- Select the Integrations and Apps tab.
- The Installed Integrations page, where all the installed applications are displayed. Note: If there are no installed applications, it will navigate to the ADD APP page.
- Click + ADD on the Installed Integrations page. The Available Integrations and Apps page displays all the available applications along with the newly created application with the version.
Note: You can even search for the application using the search option available. Also yu can use the All Categories option to search. - Click ADD in the Splunk application and click Install.
- Select authentication type as WEBHOOK and click Save.
- Make a note of Tenant ID, Token and Webhook URL.
These details are used while creating an HTTP Request template during Splunk configuration. - Click Save.
Step 2: Configure the integration
- From the API tab, enter:
- Authentication: Copy Tenant Id, Token and Webhook URL for configuration. These settings are used for creating a HTTP Request template.
- Map Attributes: Enter the mapping information for the third-party.
- From the Monitoring of Integration tab, click Assign Templates.
- From the Audit Logs, set up audit log criteria and time frame.
Configuring the map attributes
- Select the required OpsRamp property from the drop-down.
- Click Add Mapping Attributes to map attributes for the specific OpsRamp alert property.
- Click + to define the mappings.
- From Create Alert Mappings on Status, define the mappings, parsing conditions, and default values, and Save.
Attributes can be modified at any time.
The following table shows attribute mappings.
Third-Party Entity | OpsRamp Entity | Third-Party Property | OpsRamp Property | Third-Party Property Value | OpsRamp Property Value |
---|---|---|---|---|---|
Event | Alert | result.status | alert.currentState | 200 | Ok |
Event | Alert | result.status | alert.currentState | 400 | Warning |
Event | Alert | uri_query | alert.serviceName | ||
Event | Alert | search_name | alert.description | ||
Event | Alert | result.clientip | alert.deviceName | ||
Event | Alert | result.req_time | alert.alertTime | ||
Event | Alert | search_name | alert.subject |
Splunk configuration
Step 1: Configure webhook for search and reporting
- Log into Splunk Admin UI.
- From the left pane of Splunk Cloud Home, click Search & Reporting.
- Click Save As and from the drop-down options, click Alert.
- Perform the following:
- Enter details as required.
- For Trigger Actions, click Add Actions and from the drop-down options select Webhook.
- For Webhook, enter the server URL to connect.
- Click Save.
Step 2: Configure webhook for the monitoring Console
- From Splunk Cloud Home, click Settings, Monitor Console. Open in Search for required statistics, performance, or usage.
- Click Save As, Alert.
- Enter the alert details, webhook URL, and save the alert.
Example request payload
{
"owner":"eswaropsramp",
"sid":"scheduler__eswaropsramp__search__RMD5a012f6d028c57497_at_1570182600_80",
"app":"search",
"results_link":"<https://prd-p-kxc7q86hbsqw.cloud.splunk.com/app/search/@go?sid=scheduler__eswaropsramp__search__RMD5a012f6d028c57497_at_1570182600_80>)",
"search_name":"Week toDate",
"result":{
"method":"GET",
"cookie":"",
"Internal":
{
"test":{
"name":"Test"
}
},
"_kv":"1",
"clientip":"91.208.184.24",
"sourcetype":"access\_combined\_wcookie",
"_si":\[
"prd-p-kxc7q86hbsqw",
"main"
],
"date_hour":"8",
"version":"1.1",
"_eventtype_color":"",
"uri_path":"/category.screen",
"productId":"",
"date_mday":"2",
"eventtype":"",
"itemId":"EST-11",
"splunk_server_group":"",
"root":"",
"uri_domain":"",
"referer":"[http://www.buttercupgames.com/oldlink?itemId=EST-11](http://www.buttercupgames.com/oldlink?itemId=EST-11)",
"timestartpos":"19",
"file":"category.screen",
"uri":"/category.screen?categoryId=ACCESSORIES&JSESSIONID=SD4SL7FF1ADFF50438",
"splunk_server":"prd-p-kxc7q86hbsqw",
"user":"-",
"categoryId":"ACCESSORIES",
"timeendpos":"39",
"_cd":"0:201776",
"bytes":"2396",
"date_wday":"wednesday",
"date_zone":"local",
"ident":"-",
"index":"main",
"useragent":"Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; BOIE9;ENUS)",
"_serial":"0",
"_sourcetype":"access_combined_wcookie",
"_bkt":"main~0~B9626C15-AE58-49B8-8B5B-AF85CD3F65CB",
"source":"tutorialdata.zip:./www1/access.log",
"status":"200",
"tag":"",
"date_month":"october",
"_raw":"91.208.184.24 - - [02/Oct/2019:08:47:48\] " GET /category.screen?categoryId=ACCESSORIES&JSESSIONID=SD4SL7FF1ADFF50438 HTTP 1.1" 200 2396 "[http://www.buttercupgames.com/oldlink?itemId=EST-11](http://www.buttercupgames.com/oldlink?itemId=EST-11)" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; BOIE9;ENUS)" 614",
"linecount":"1",
"punct":"..._-_-_[//:::]_"_/.?=&=__."___"://../?=-"_"/._(;_",
"tag::eventtype":"",
"_time":"1570006068",
"uri_query":"categoryId=ACCESSORIES&JSESSIONID=SD4SL7FF1ADFF50438",
"date_minute":"47",
"date_year":"2019",
"req_time":"02/Oct/2019:08:47:48",
"host":"127.0.0.1",
"action":"",
"other":"614",
"referer_domain":"[http://www.buttercupgames.com](http://www.buttercupgames.com/)",
"date_second":"48",
"JSESSIONID":"SD4SL7FF1ADFF50438",
"_indextime":"1570096125"
}
}
Next steps
- View alerts in OpsRamp
- From Workspace drop-down options at OpsRamp Console, go to Alerts and on the Alerts page, search with the Source name as Splunk. Related alerts are displayed.
- Click an Alert ID to view.