Splunk integration

This integration ingests Splunk alerts and maps them to APEX AIOps Incident Management events automatically.

Create a new integration in Incident Management

Log in to your Incident Management instance.
Choose Integrations > Inbound Integrations > Splunk.
If necessary, click Add Integration to display the full list of integrations.
Click Add New Integration.

The new integration includes a custom endpoint, a set of default mappings to convert Splunk payloads to Incident Management events, and a deduplication key to group similar events into alerts.

(Optional) Once your endpoint starts receiving data from Splunk, you can customize how the integration maps and deduplicates this data. To learn more about mapping and deduplication, read Use mapping types in custom integrations and Deduplicate events to reduce noise.

Configure your Splunk instance

From the Splunk home page > Apps column (left), click Find More Apps.
Search for "Dell AIOps Incident Management" and install the following app: Dell AIOps Incident Management (previously Moogsoft Cloud) Add-on for Splunk
Select Apps > Manage Apps from the top-left menu.
In the Splunk Apps table > AIOps Incident Management row > Actions column, click Set up.
Configure the settings for your new integration as defined below:
- Incident Management URL: Your Incident Management Endpoint, as provided in the Incident Management web UI under Integrations > Inbound Integrations > Splunk > your-integration-name > Configure Information > Incident Management Endpoint.
- Incident Management API Key: Your Incident Management API key.
  To create a new API key to use with your integration, follow the instructions in Manage API keys.
- Max Batch Size (KB): 1000
Note
For this integration, do not check the box next to “Configure AIOps Incident Management On-Prem Edition".
If you are using a Splunk distributed environment, you should install and configure the app on Indexer and Search Head. Both the Indexer and Search Head must have Internet access.
Configure permissions and role (other than ADMIN user):
1. From the top-right menu, select Settings > Roles.
2. From the Roles page, click New Role. Provide a name for the new role.
3. Under the Capabilities section, enable the following permissions by checking their boxes:
  - list_storage_passwords
  - schedule_search
  - schedule_rtsearch
  - install_apps
  Note
  These permissions must be enabled for the application to work correctly.
4. Click Create.
5. From the top-right menu, navigate to Settings > Users.
6. Select a user to assign the new role to and click Edit next to their name.
7. Under Assign roles > Available item(s), select the new role you created.
8. Click Save.

After you complete the configuration, Splunk sends new alerts to Incident Management.

Create and send alerts

Once your configuration is complete you can send data in various ways to Incident Management by customizing your alerts in Splunk.

Create a scheduled alert

To create a scheduled alert to send data in bulk to Incident Management:

Note

To avoid sending large Splunk payloads to Incident Management, it is good practice to send alerts at intervals of five minutes or less.

Set alerts for the data you want to ingest as defined by your search string: search-query-string | field *
Click Save As > Alert and specify an alert name.
Under Settings, select Alert Type as “Scheduled”.
Configure the alert schedule.
Under Trigger Actions, click Add Actions > AIOps Incident Management Integration.
Add additional trigger actions as deemed appropriate. For example, click Add Actions >Add to Triggered Alerts.
Click Save.

Bulk conversion of events

You can also perform bulk conversion of existing alerts to add (or remove) the AIOps_Incident_Management_Integration action. Use the commands adddellaiopsimevent and removedellaiopsimevent, in conjunction with a Splunk SPL command that queries the Splunk REST API.

For example, to add the AIOps_Incident_Management_Integration to all existing saved searches that have associated actions, you can use the following SPL query:

| rest /services/saved/searches | adddellaiopsimevent

Create real-time alerts option

To create a Real Time alert in order to send an individual set of event data (this is the preferred way to avoid sending large payloads):

Set alerts for the data you want to ingest as defined by your search string: search-query-string.
Click Save As > Alert and specify an alert name.
Configure the alert schedule and select Alert Type as “Real Time”.
Set Alert Actions as “AIOps Incident Management Integration” and specify details.

Specify a search string option

From the Splunk New Search page, specify a search string for sending data to Incident Management:

search-query-string | dellaiopsimevent

For example, to send data in bulk, use the search string:

source="http:test" | dellaiopsimevent

For more information, go to docs.splunk.com and search for alerts.

In this section:

Splunk integration

Create a new integration in Incident Management

Configure your Splunk instance

Note

Note

Create and send alerts

Note

Search results