Splunk integration
This integration ingests Splunk alerts and maps them to APEX AIOps Incident Management events automatically.
Create a new integration in Incident Management
Log in to your Incident Management instance.
Choose Integrations > Inbound Integrations > Splunk.
If necessary, click Add Integration to display the full list of integrations.
Click Add New Integration.
The new integration includes a custom endpoint, a set of default mappings to convert Splunk payloads to Incident Management events, and a deduplication key to group similar events into alerts.
(Optional) Once your endpoint starts receiving data from Splunk, you can customize how the integration maps and deduplicates this data. To learn more about mapping and deduplication, read Use mapping types in custom integrations and Deduplicate events to reduce noise.
Configure your Splunk instance
Create and send alerts
Once your configuration is complete you can send data in various ways to Incident Management by customizing your alerts in Splunk.
Create a scheduled alert
To create a scheduled alert to send data in bulk to Incident Management:
Note
To avoid sending large Splunk payloads to Incident Management, it is good practice to send alerts at intervals of five minutes or less.
Set alerts for the data you want to ingest as defined by your search string:
search-query-string | field *
Click Save As > Alert and specify an alert name.
Under Settings, select Alert Type as “Scheduled”.
Configure the alert schedule.
Under Trigger Actions, click Add Actions > AIOps Incident Management Integration.
Add additional trigger actions as deemed appropriate. For example, click Add Actions >Add to Triggered Alerts.
Click Save.
Bulk conversion of events
You can also perform bulk conversion of existing alerts to add (or remove) the AIOps_Incident_Management_Integration action. Use the commands adddellaiopsimevent
and removedellaiopsimevent
, in conjunction with a Splunk SPL command that queries the Splunk REST API.
For example, to add the AIOps_Incident_Management_Integration to all existing saved searches that have associated actions, you can use the following SPL query:
| rest /services/saved/searches | adddellaiopsimevent
Create real-time alerts option
To create a Real Time alert in order to send an individual set of event data (this is the preferred way to avoid sending large payloads):
Set alerts for the data you want to ingest as defined by your search string: search-query-string.
Click Save As > Alert and specify an alert name.
Configure the alert schedule and select Alert Type as “Real Time”.
Set Alert Actions as “AIOps Incident Management Integration” and specify details.
Specify a search string option
From the Splunk New Search page, specify a search string for sending data to Incident Management:
search-query-string | dellaiopsimevent
For example, to send data in bulk, use the search string:
source="http:test" | dellaiopsimevent
For more information, go to docs.splunk.com and search for alerts.