Splunk Streaming Add-On

If you have installed the Splunk integration, you can configure the Streaming Add-On, which enables you to use the streammoog command to send results from the Splunk search pipeline as alerts to Moogsoft Enterprise.

The Splunk Streaming Add-On is compatible with distributed deployments. If you are installing the Add-On in a distributed deployment, you only need to do so on the search head.

See the Splunk documentation for more information.

Before You Begin

The Streaming Add-On has been validated with Splunk v7.2 and v7.3. Before you start to set up your integration, ensure you have met the following requirements:

  • You have an active Splunk account.

  • You have installed the Splunk integration in Moogsoft Enterprise.

  • You have the permissions required to run the streammoog command in Splunk.

  • Splunk can make requests to external endpoints over port 443.

Configure the Splunk Streaming Add-On Integration

To configure the Streaming Add-On integration:

  1. Navigate to the Integrations tab.

  2. Click Splunk Streaming Add-On in the Monitoring section.

  3. Provide a unique integration name. You can use the default name or customize the name according to your needs.

Configure the Splunk Streaming Add-On

Log in to Splunk and install the Streaming Add-On in order to allow search results to be streamed from Splunk to Moogsoft Enterprise.

  1. Install the Streaming Add-On from Apps in the console or from Splunkbase, the Splunk marketplace.

    If you are using on-premises versions of Splunk and Moogsoft Enterprise, copy the server.pem file to <splunk_home>/etc/apps/TA-Moogsoft-Streaming/bin/.

    Note

    You can also store or copy a Moogsoft Enterprise certificate in <splunk_home>/etc/apps/TA-Moogsoft-Streaming/local.

    To do this, configure the relative path in the 'Moogsoft Certificate Path' with '../local/server.pem'.

  2. Configure the Streaming Add-On to enable search results to be streamed as follows:

    Field

    Value

    Moogsoft Integration URL

    <url of the integration>

    For example: https://<localhost>/events/splunk_lam_splunk1

    Default Alert Severity

    Select a default severity to assign. Clear, Info, Minor, Major, Critical.

    Moogsoft Certificate Path

    Enter your certificate location if using an on-premises version of Moogsoft Enterprise and Splunk. Otherwise leave empty.

    Max Batch Size (KB)

    Enter the maximum batch size of result sets to send to Moogsoft Enterprise . The batch size cannot be smaller than 1024 kilobytes; there is no upper limit.

  3. Save the changes.

After you complete the configuration, you can use the streammoog command in the Splunk search pipeline to send search results as alerts to Moogsoft Enterprise. For more information on using the streammoog command, see the Splunk documentation.