Splunk integration

This integration ingests Splunk alerts and maps them to Moogsoft Cloud events automatically.

Create a new integration in Moogsoft Cloud

  1. Log in to your Moogsoft Cloud instance.

  2. Choose Data Config > Ingestion Services > Splunk.

  3. Click Add New Integration.

The new integration includes a custom endpoint, a set of default mappings to convert Splunk payloads to Moogsoft Cloud events, and a deduplication key to group similar events into alerts.

(Optional) Once your endpoint starts receiving data from Splunk, you can customize how the integration maps and deduplicates this data. For more information, see Map external data to the Moogsoft Cloud schema and Test your deduplication key under Define a custom integration.

Configure your Splunk instance

Create and send alerts

Once your configuration is complete you can send data in various ways to Moogsoft by customizing your alerts in Splunk.

Create a scheduled alert

To create a scheduled alert to send data in bulk to Moogsoft Cloud:

Note

To avoid sending large Splunk payloads to Moogsoft Cloud, it is good practice to send alerts at intervals of five minutes or less.

  • Set alerts for the data you want to ingest as defined by your search string: search-query-string | field *

  • Click Save As > Alert and specify an alert name.

  • Under Settings, select Alert Type as “Scheduled”.

  • Configure the alert schedule.

  • Under Trigger Actions, click Add Actions > Moogsoft Alert Integration.

  • Add additional trigger actions as deemed appropriate. For example, click Add Actions >Add to Triggered Alerts.

  • Click Save.

Bulk conversion of events

You can also perform bulk conversion of existing alerts to add (or remove) the Moog_Integration action. Use the commands addmoogsoftevent and removemoogsoftevent, in conjunction with a Splunk SPL command that queries the Splunk REST API.

For example, to add the Moog_Integration to all existing saved searches that have associated actions, you can use the following SPL query:

| rest /services/saved/searches | addmoogsoftevent

Create real-time alerts option

To create a Real Time alert in order to send an individual set of event data (this is the preferred way to avoid sending large payloads):

  • Set alerts for the data you want to ingest as defined by your search string: search-query-string.

  • Click Save As > Alert and specify an alert name.

  • Configure the alert schedule and select Alert Type as “Real Time”.

  • Set Alert Actions as “Moogsoft Alert Integration” and specify details.

Specify a search string option

From the Splunk New Search page, specify a search string for sending data to Moogsoft Cloud: 

search-query-string | moogsoftevent

For example, to send data in bulk, use the search string:

source="http:test" | moogsoftevent

For more information, go to docs.splunk.com and search for alerts.

2022-08-09T19:32:44-04:00