Splunk captures, indexes, and correlates real-time application, security and compliance data in a searchable repository from which it can generate alerts, dashboards, and visualizations.

Verified on Splunk version: 8.0

OpsRamp configuration

Step 1: Install the integration

  1. From All Clients, select a client.
  2. Go to Setup > Account.
  3. Select the Integrations and Apps tab.
  4. The Installed Integrations page, where all the installed applications are displayed. Note: If there are no installed applications, it will navigate to the Available Integrations and Apps page.
  5. Click + ADD on the Installed Integrations page. The Available Integrations and Apps page displays all the available applications along with the newly created application with the version.
    Note: You can even search for the application using the search option available. Also yu can use the All Categories option to search.
  6. Click ADD in the Splunk application and click Install.
  7. Select authentication type as WEBHOOK and click Save.
  8. Make a note of Tenant ID, Token and Webhook URL.
    These details are used while creating an HTTP Request template during Splunk configuration.
  9. Click Save.

Step 2: Configure the integration

  1. From the API tab, enter:
    • Authentication: Copy Tenant Id, Token and Webhook URL for configuration. These settings are used for creating a HTTP Request template.
    • Map Attributes: Enter the mapping information for the third-party.
  2. From the Monitoring of Integration tab, click Assign Templates.
  3. From the Audit Logs, set up audit log criteria and time frame.

Configuring the map attributes

  1. Select the required OpsRamp property from the drop-down.
  2. Click Add Mapping Attributes to map attributes for the specific OpsRamp alert property.
  3. Click + to define the mappings.
  4. From Create Alert Mappings on Status, define the mappings, parsing conditions, and default values, and Save.

Attributes can be modified at any time.

The following table shows attribute mappings.

Third-Party EntityOpsRamp EntityThird-Party PropertyOpsRamp PropertyThird-Party Property ValueOpsRamp Property Value
EventAlertresult.statusalert.currentState200Ok
EventAlertresult.statusalert.currentState400Warning
EventAlerturi_queryalert.serviceName
EventAlertsearch_namealert.description
EventAlertresult.clientipalert.deviceName
EventAlertresult.req_timealert.alertTime
EventAlertsearch_namealert.subject

Splunk configuration

Step 1: Configure webhook for search and reporting

  1. Log into Splunk Admin UI.
  2. From the left pane of Splunk Cloud Home, click Search & Reporting.
  3. Click Save As and from the drop-down options, click Alert.
  4. Perform the following:
    1. Enter details as required.
    2. For Trigger Actions, click Add Actions and from the drop-down options select Webhook.
    3. For Webhook, enter the server URL to connect.
    4. Click Save.

Step 2: Configure webhook for the monitoring Console

  1. From Splunk Cloud Home, click Settings, Monitor Console. Open in Search for required statistics, performance, or usage.
  2. Click Save As, Alert.
  3. Enter the alert details, webhook URL, and save the alert.

Example request payload

{
"owner":"eswaropsramp",
"sid":"scheduler__eswaropsramp__search__RMD5a012f6d028c57497_at_1570182600_80",
"app":"search",
"results_link":"<https://prd-p-kxc7q86hbsqw.cloud.splunk.com/app/search/@go?sid=scheduler__eswaropsramp__search__RMD5a012f6d028c57497_at_1570182600_80>)",
"search_name":"Week toDate",
"result":{
"method":"GET",
"cookie":"",
"Internal":
{
"test":{
"name":"Test"
}
},
"_kv":"1",
"clientip":"91.208.184.24",
"sourcetype":"access\_combined\_wcookie",
"_si":\[
"prd-p-kxc7q86hbsqw",
"main"
],
"date_hour":"8",
"version":"1.1",
"_eventtype_color":"",
"uri_path":"/category.screen",
"productId":"",
"date_mday":"2",
"eventtype":"",
"itemId":"EST-11",
"splunk_server_group":"",
"root":"",
"uri_domain":"",
"referer":"[http://www.buttercupgames.com/oldlink?itemId=EST-11](http://www.buttercupgames.com/oldlink?itemId=EST-11)",
"timestartpos":"19",
"file":"category.screen",
"uri":"/category.screen?categoryId=ACCESSORIES&JSESSIONID=SD4SL7FF1ADFF50438",
"splunk_server":"prd-p-kxc7q86hbsqw",
"user":"-",
"categoryId":"ACCESSORIES",
"timeendpos":"39",
"_cd":"0:201776",
"bytes":"2396",
"date_wday":"wednesday",
"date_zone":"local",
"ident":"-",
"index":"main",
"useragent":"Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; BOIE9;ENUS)",
"_serial":"0",
"_sourcetype":"access_combined_wcookie",
"_bkt":"main~0~B9626C15-AE58-49B8-8B5B-AF85CD3F65CB",
"source":"tutorialdata.zip:./www1/access.log",
"status":"200",
"tag":"",
"date_month":"october",
"_raw":"91.208.184.24 - - [02/Oct/2019:08:47:48\] " GET /category.screen?categoryId=ACCESSORIES&JSESSIONID=SD4SL7FF1ADFF50438 HTTP 1.1" 200 2396 "[http://www.buttercupgames.com/oldlink?itemId=EST-11](http://www.buttercupgames.com/oldlink?itemId=EST-11)" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; BOIE9;ENUS)" 614",
"linecount":"1",
"punct":"..._-_-_[//:::]_"_/.?=&=__."___"://../?=-"_"/._(;_",
"tag::eventtype":"",
"_time":"1570006068",
"uri_query":"categoryId=ACCESSORIES&JSESSIONID=SD4SL7FF1ADFF50438",
"date_minute":"47",
"date_year":"2019",
"req_time":"02/Oct/2019:08:47:48",
"host":"127.0.0.1",
"action":"",
"other":"614",
"referer_domain":"[http://www.buttercupgames.com](http://www.buttercupgames.com/)",
"date_second":"48",
"JSESSIONID":"SD4SL7FF1ADFF50438",
"_indextime":"1570096125"
}
}

Next steps

  • View alerts in OpsRamp
    1. From Workspace drop-down options at OpsRamp Console, go to Alerts and on the Alerts page, search with the Source name as Splunk. Related alerts are displayed.
    2. Click an Alert ID to view.