Splunk captures, indexes, and correlates real-time application, security and compliance data in a searchable repository from which it can generate alerts, dashboards, and visualizations.

Verified on Splunk version: 8.0

OpsRamp configuration

Step 1: Install the integration

  1. From All Clients, select a client.
  2. Navigate to Setup > Account.
  3. Select the Integrations and Apps tab.
  4. The Installed Integrations page, where all the installed applications are displayed. Note: If there are no installed applications, it will navigate to the Available Integrations and Apps page.
  5. Click + ADD on the Installed Integrations page. The Available Integrations and Apps page displays all the available applications along with the newly created application with the version.
  6. Search for the application using the search option available. Alternatively, use the All Categories option to search.
  7. Click ADD on the Splunk tile.

Inbound (Optional):

Splunk - Inbound configuration

To configure the inbound, follow these steps:
Authentication:

  1. Select the Authentication Type as Webhook.

    • Webhook: By default, Webhook is selected as the Authentication Type.
      Make a note of Tenant ID, Token and Webhook URL.
      These details are used while creating an HTTP Request template during Splunk configuration.

  2. Map Attributes: Map OpsRamp entity attributes with Splunk attributes.

    1. Click +Add from the Map Attributes section.

    2. From the Add Map Attributes window, enter the below information:

      • OpsRamp Entity: Select Alert from the dropdown.
      • OpsRamp Property: Select the OpsRamp property from the dropdown.
      • Splunk Entity: Enter the Splunk entity value in the box and click the +value from the dropdown to add it. You can add multiple values.
      • Splunk Property: Enter the Splunk property.

      Parsing Condition:

      1. Click +Add and provide the parsing condition:
      2. Select an operator from the dropdown and enter a value in the fields accordingly. Based on the operator selected, the fields vary.
      3. Click Save. Click +Add to add more conditions.

      Property Values:

      1. Click +Property Value.
      2. Enter a value in the Splunk Property Value box and select the appropriate value from the OpsRamp Property Value dropdown.
        The options in the OpsRamp Property Value dropdown appear based on the OpsRamp Property selected.
      3. Click Save.
      • Click +Property Value to add more property values.

      Default Value: Alternatively, you can enter/select a default value in the box.

      Note: To map more attributes, click +Entity.

    3. Click Add Map Attributes. The mapped attributes list is added.

      • Click the three dots icon at the end of each row to edit or remove the map attributes.
      • Use the Filter option to filter the map attributes.

  3. Additional Settings: Select the Drop alerts from unmanaged resources checkbox if you do not want to trigger alerts from unmanaged resources.

  4. Enrich and Create Alert: Select a process definition from the dropdown. You can customize the incoming alerts according to the properties defined in the process definition.

  5. Click Finish.

Attributes can be modified at any time.

The following table shows attribute mappings.

Third-Party EntityOpsRamp EntityThird-Party PropertyOpsRamp PropertyThird-Party Property ValueOpsRamp Property Value
EventAlertresult.statusalert.currentState200Ok
EventAlertresult.statusalert.currentState400Warning
EventAlerturi_queryalert.serviceName
EventAlertsearch_namealert.description
EventAlertresult.clientipalert.deviceName
EventAlertresult.req_timealert.alertTime
EventAlertsearch_namealert.subject

Splunk configuration

Step 1: Configure webhook for search and reporting

  1. Log into Splunk Admin UI.
  2. From the left pane of Splunk Cloud Home, click Search & Reporting.
  3. Click Save As and from the drop-down options, click Alert.
  4. Perform the following:
    1. Enter details as required.
    2. For Trigger Actions, click Add Actions and from the drop-down options select Webhook.
    3. For Webhook, enter the server URL to connect.
    4. Click Save.

Step 2: Configure webhook for the monitoring Console

  1. From Splunk Cloud Home, click Settings, Monitor Console. Open in Search for required statistics, performance, or usage.
  2. Click Save As, Alert.
  3. Enter the alert details, webhook URL, and save the alert.

Example request payload

{
"owner":"eswaropsramp",
"sid":"scheduler__eswaropsramp__search__RMD5a012f6d028c57497_at_1570182600_80",
"app":"search",
"results_link":"<https://prd-p-kxc7q86hbsqw.cloud.splunk.com/app/search/@go?sid=scheduler__eswaropsramp__search__RMD5a012f6d028c57497_at_1570182600_80>)",
"search_name":"Week toDate",
"result":{
"method":"GET",
"cookie":"",
"Internal":
{
"test":{
"name":"Test"
}
},
"_kv":"1",
"clientip":"91.208.184.24",
"sourcetype":"access\_combined\_wcookie",
"_si":\[
"prd-p-kxc7q86hbsqw",
"main"
],
"date_hour":"8",
"version":"1.1",
"_eventtype_color":"",
"uri_path":"/category.screen",
"productId":"",
"date_mday":"2",
"eventtype":"",
"itemId":"EST-11",
"splunk_server_group":"",
"root":"",
"uri_domain":"",
"referer":"[http://www.buttercupgames.com/oldlink?itemId=EST-11](http://www.buttercupgames.com/oldlink?itemId=EST-11)",
"timestartpos":"19",
"file":"category.screen",
"uri":"/category.screen?categoryId=ACCESSORIES&JSESSIONID=SD4SL7FF1ADFF50438",
"splunk_server":"prd-p-kxc7q86hbsqw",
"user":"-",
"categoryId":"ACCESSORIES",
"timeendpos":"39",
"_cd":"0:201776",
"bytes":"2396",
"date_wday":"wednesday",
"date_zone":"local",
"ident":"-",
"index":"main",
"useragent":"Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; BOIE9;ENUS)",
"_serial":"0",
"_sourcetype":"access_combined_wcookie",
"_bkt":"main~0~B9626C15-AE58-49B8-8B5B-AF85CD3F65CB",
"source":"tutorialdata.zip:./www1/access.log",
"status":"200",
"tag":"",
"date_month":"october",
"_raw":"91.208.184.24 - - [02/Oct/2019:08:47:48\] " GET /category.screen?categoryId=ACCESSORIES&JSESSIONID=SD4SL7FF1ADFF50438 HTTP 1.1" 200 2396 "[http://www.buttercupgames.com/oldlink?itemId=EST-11](http://www.buttercupgames.com/oldlink?itemId=EST-11)" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; BOIE9;ENUS)" 614",
"linecount":"1",
"punct":"..._-_-_[//:::]_"_/.?=&=__."___"://../?=-"_"/._(;_",
"tag::eventtype":"",
"_time":"1570006068",
"uri_query":"categoryId=ACCESSORIES&JSESSIONID=SD4SL7FF1ADFF50438",
"date_minute":"47",
"date_year":"2019",
"req_time":"02/Oct/2019:08:47:48",
"host":"127.0.0.1",
"action":"",
"other":"614",
"referer_domain":"[http://www.buttercupgames.com](http://www.buttercupgames.com/)",
"date_second":"48",
"JSESSIONID":"SD4SL7FF1ADFF50438",
"_indextime":"1570096125"
}
}

Next steps

  • View alerts in OpsRamp
    1. From Workspace drop-down options at OpsRamp Console, go to Alerts and on the Alerts page, search with the Source name as Splunk. Related alerts are displayed.
    2. Click an Alert ID to view.