Skip to main content

Splunk

You can install the Splunk integration to post data to Moogsoft Onprem when an alert occurs.

The Splunk integration does not support authentication options and security certificate bypass is not supported when the app is in the default SSL mode.

See the Splunk documentation for more information.

Before You Begin

The Moogsoft Onprem Splunk integration has been validated with Splunk versions 6.5, 6 6, 7.0, 7.1, 7.2, 7.3, 8.0, 8.1, and 8.2. Before you start to set up your integration, ensure you have met the following requirements:

  • You have an active Splunk account.

  • Splunk can make requests to external endpoints over port 443.

Configure the Splunk Integration

To configure the Splunk integration:

  1. Navigate to the Integrations tab.

  2. Click Splunk in the Monitoring section.

  3. Provide a unique integration name. You can use the default name or customize the name according to your needs.

Configure the Splunk Add-On

Log in to Splunk and install the Moogsoft Onprem Add-On in order to send alerts from Splunk to Moogsoft Onprem.

Note

The current Moogsoft Splunk Integration in Splunkbase is titled the Moogsoft App.

If you downloaded an older version of the Splunk Add-On for Moogsoft AIOps supporting v7.2 and v7.3, see the topic Splunk Streaming Add-On for configuration information.

The Add-On uses the Splunk search to fetch data from Splunk and send it to Moogsoft Onprem. If you are installing the Add-On in a distributed deployment, you only need to do so on the search head.

  1. Install the add-on from Apps in the console or from Splunkbase, the Splunk marketplace.

    If using on-premises versions of Splunk and Moogsoft Onprem, copy the server.pem file to <splunk_home>/etc/apps/TA-Splunk-Moogsoft/bin.

    Note

    You can also store or copy a Moogsoft Onprem certificate in <splunk_home>/etc/apps/TA-Splunk-Moogsoft/local.

    To do this, configure the relative path in the 'Moogsoft Certificate Path' with '../local/server.pem'.

  2. Configure the triggers for Splunk alerts to be forwarded to the integration as follows:

    Field

    Value

    URL

    <url of the integration>

    For example: https://<localhost>/events/splunk_lam_splunk1

    Alert Severity

    Enter a severity. Clear, Indeterminate, Minor, Major, Critical.

    Moogsoft Onprem Certificate

    Enter your certificate location if using an on-premises version of Moogsoft Onprem and Splunk. Otherwise leave empty.

  3. Save the changes.

After you complete the configuration, Splunk sends new alerts to Moogsoft Onprem. See the following topic for more information about sending alerts.

Create and send alerts

Once your configuration is complete you can send data in various ways to Moogsoft by customizing your alerts in Splunk. For more information, go to docs.splunk.com and search for alerts.

Create a scheduled alert

To create a scheduled alert to send data in bulk to Moogsoft Cloud:

  • Set alerts for the data you want to ingest as defined by your search string:

    search-query-string | field *

  • Click Save As > Alert and specify an alert name.

  • Under Settings, select Alert Type as “Scheduled”.

  • Configure the alert schedule.

  • Under Trigger Actions, click Add Actions > Moogsoft Alert Integration.

  • Add additional trigger actions as deemed appropriate. For example, click Add Actions > Add to Triggered Alerts.

  • Click Save.

Note

To avoid sending large Splunk payloads to Moogsoft Cloud, it is good practice to send alerts at intervals of five minutes or less.

Bulk conversion of events

You can also perform bulk conversion of existing alerts to add (or remove) the Moog_Integration action. These commands addmoogsoftevent and removemoogsoftevent, are used in conjunction with a Splunk SPL command that queries the Splunk REST API.

For example, to add the Moog_Integration to all existing saved searches that have associated actions, you can use the following SPL query:

| rest /services/saved/searches | addmoogsoftevent

Create real-time alerts option

To create a Real Time alert in order to send an individual set of event data (this is the preferred way to avoid sending large payloads):

  • Set alerts for the data you want to ingest as defined by your search string search-query-string.

  • Click Save As > Alert and specify an alert name.

  • Configure the alert schedule and select Alert Type as “Real Time”.

  • Set Alert Actions as “Moogsoft Alert Integration” and specify details.

Specify a search string option

From the Splunk New Search page, specify a search string for sending data to Moogsoft Cloud: 

search-query-string | moogsoftevent

For example, to send data in bulk, use the search string: 

source="http:test" | moogsoftevent

In this section: