Splunk captures, indexes, and correlates real-time application, security and compliance data in a searchable repository from which it can generate alerts,dashboards and visualizations.

Verified on Splunk version: 8.0

OpsRamp configuration

Configuration involves the following:

  1. Installing the integration.
  2. Configuring the integration.

Step 1: Install the integration

To install:

  1. Select a client from the All Clients list.
  2. Go to Setup > Integrations > Integrations.
  3. From Available Integrations, select Monitoring > Splunk.
  4. Click Install.

Step 2: Configure the integration

To configure the integration:

  1. From the API tab, provide the following:
    • Authentication: Copy Tenant Id, Token and Webhook URL for configuration. These settings are used for creating a HTTP Request template.
    • Map Attributes: Enter the mapping information for the third-party.
  2. From the Monitoring of Integration tab, click Assign Templates.
  3. From the Audit Logs, set up audit log criteria and time frame.

Configuring the map attributes

To configure the mapping attributes:

  1. Select the required OpsRamp property from the drop-down.
  2. Click Add Mapping Attributes to map attributes for the specific OpsRamp alert property.
  3. Click + to define the mappings.
  4. From Create Alert Mappings on Status, define the mappings, parsing conditions, and default values, and Save.

Attributes can be modified at any time.

The following tables shows attribute mappings.

Third-Party EntityOpsRamp EntityThird-Party PropertyOpsRamp PropertyThird-Party Property ValueOpsRamp Property Value
EventAlertresult.statusalert.currentState200Ok
EventAlertresult.statusalert.currentState400Warning
EventAlerturi_queryalert.serviceName
EventAlertsearch_namealert.description
EventAlertresult.clientipalert.deviceName
EventAlertresult.req_timealert.alertTime
EventAlertsearch_namealert.subject

 

Splunk configuration

Configuration includes:

  1. Configuring Webhook for search and reporting
  2. Configuring Webhook for Monitoring Console

Step 1: Configure Webhook for search and reporting

To configure Webhook for search and reporting:

  1. Log into Splunk Admin UI.
  2. From the left pane of Splunk Cloud Home, click Search & Reporting.
  3. Click Save As and then from the drop-down options, click Alert.
  4. Perform the following:
    1. Enter details as required.
    2. For Trigger Actions, click Add Actions and from the drop-down options select Webhook.
    3. For Webhook, provide the server URL to connect.
    4. Click Save.

Step 2: Configure Webhook for the Monitoring Console

To configure Webhook for the Monitoring Console:

  1. From Splunk Cloud Home, click Settings, Monitor Console. Open in Search for required statistics, performance, or usage.
  2. Click Save As, Alert.
  3. Enter the alert details, webhook URL, and save the alert.

Sample request payload

{ 
"owner":"eswaropsramp",
"sid":"scheduler__eswaropsramp__search__RMD5a012f6d028c57497_at_1570182600_80",
"app":"search",
"results_link":"https://prd-p-kxc7q86hbsqw.cloud.splunk.com/app/search/@go?sid=scheduler__eswaropsramp__search__RMD5a012f6d028c57497_at_1570182600_80)",
"search_name":"Week toDate",
"result":{ 
"method":"GET",
"cookie":"",
"Internal":
{
"test":{
"name":"Test"
}
},
"_kv":"1",
"clientip":"91.208.184.24",
"sourcetype":"access\_combined\_wcookie",
"_si":\[ 
"prd-p-kxc7q86hbsqw",
"main"
],
"date_hour":"8",
"version":"1.1",
"_eventtype_color":"",
"uri_path":"/category.screen",
"productId":"",
"date_mday":"2",
"eventtype":"",
"itemId":"EST-11",
"splunk_server_group":"",
"root":"",
"uri_domain":"",
"referer":"[http://www.buttercupgames.com/oldlink?itemId=EST-11](http://www.buttercupgames.com/oldlink?itemId=EST-11)",
"timestartpos":"19",
"file":"category.screen",
"uri":"/category.screen?categoryId=ACCESSORIES&JSESSIONID=SD4SL7FF1ADFF50438",
"splunk_server":"prd-p-kxc7q86hbsqw",
"user":"-",
"categoryId":"ACCESSORIES",
"timeendpos":"39",
"_cd":"0:201776",
"bytes":"2396",
"date_wday":"wednesday",
"date_zone":"local",
"ident":"-",
"index":"main",
"useragent":"Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; BOIE9;ENUS)",
"_serial":"0",
"_sourcetype":"access_combined_wcookie",
"_bkt":"main~0~B9626C15-AE58-49B8-8B5B-AF85CD3F65CB",
"source":"tutorialdata.zip:./www1/access.log",
"status":"200",
"tag":"",
"date_month":"october",
"_raw":"91.208.184.24 - - [02/Oct/2019:08:47:48\] " GET /category.screen?categoryId=ACCESSORIES&JSESSIONID=SD4SL7FF1ADFF50438 HTTP 1.1" 200 2396 "[http://www.buttercupgames.com/oldlink?itemId=EST-11](http://www.buttercupgames.com/oldlink?itemId=EST-11)" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; BOIE9;ENUS)" 614",
"linecount":"1",
"punct":"..._-_-_[//:::]_" _/.?=&=__."___"://../?=-"_"/._(;_",
"tag::eventtype":"",
"_time":"1570006068",
"uri_query":"categoryId=ACCESSORIES&JSESSIONID=SD4SL7FF1ADFF50438",
"date_minute":"47",
"date_year":"2019",
"req_time":"02/Oct/2019:08:47:48",
"host":"127.0.0.1",
"action":"",
"other":"614",
"referer_domain":"[http://www.buttercupgames.com](http://www.buttercupgames.com/)",
"date_second":"48",
"JSESSIONID":"SD4SL7FF1ADFF50438",
"_indextime":"1570096125"
}
}

 

What to do next

  • View alerts in OpsRamp
    1. From Workspace drop-down options at OpsRamp Console, go to Alerts and on the Alerts page, search with the Source name as Splunk. Related alerts are displayed.
    2. Click an Alert ID to view.