Splunk Streaming Add-On
If you have installed the Moogsoft Enterprise Splunk integration, you can configure the Streaming Add-On, which enables you to use the streammoog
command to send results from the Splunk search pipeline as alerts to Moogsoft Enterprise.
The Splunk Streaming Add-On is compatible with distributed deployments. If you are installing the Add-On in a distributed deployment, you only need to do so on the Splunk search head.
See the Splunk documentation for more information.
Refer to the Moogsoft Enterprise Splunk Integrations topic for more information about setting up the integration.
Before You Begin
The Streaming Add-On has been validated with Splunk v7.2 and v7.3. Before you start to set up your integration, ensure you have met the following requirements:
You have an active Splunk account.
You have installed the Splunk integration in Moogsoft Enterprise. Refer to Splunk Integrations for more information.
You have the permissions required to run the
streammoog
command in Splunk.Splunk can make requests to external endpoints over port 443.
Configure the Splunk Streaming Add-On Integration
To configure the Streaming Add-On integration:
Navigate to the Integrations tab.
Click Splunk Streaming Add-On in the Monitoring section.
Provide a unique integration name. You can use the default name or customize the name according to your needs.
Configure the Splunk Streaming Add-On
Log in to Splunk and install the Streaming Add-On in order to allow search results to be streamed from Splunk to Moogsoft Enterprise.
Install the Streaming Add-On from Apps in the console or from Splunkbase, the Splunk marketplace.
If you are using on-premises versions of Splunk and Moogsoft Enterprise, copy the
server.pem
file to<splunk_home>/etc/apps/TA-Moogsoft-Streaming/bin/
.Note
You can also store or copy a Moogsoft Enterprise certificate in
<splunk_home>/etc/apps/TA-Moogsoft-Streaming/local
.To do this, configure the relative path in the 'Moogsoft Certificate Path' with '
../local/server.pem
'.Configure the Streaming Add-On to enable search results to be streamed as follows:
Field
Value
Moogsoft Integration URL
<url of the integration>
For example: https://<localhost>/events/splunk_lam_splunk1
Default Alert Severity
Select a default severity to assign. Clear, Info, Minor, Major, Critical.
Moogsoft Certificate Path
Enter your certificate location if using an on-premises version of Moogsoft Enterprise and Splunk. Otherwise leave empty.
Max Batch Size (KB)
Enter the maximum batch size of result sets to send to Moogsoft Enterprise . The batch size cannot be smaller than 1024 kilobytes; there is no upper limit.
Save the changes.
After you complete the configuration, you can use the streammoog
command in the Splunk search pipeline to send search results as alerts to Moogsoft Enterprise. For more information on using the streammoog
command, see the Splunk documentation.