Skip to content

Splunk

Splunk

Fetch Splunk data commands, alert-actions, fired alerts, catalog-metrics, search job by sid etc from Maira workflows. You can also configure splunk webhook to send events to Maira.

Description

splunk integration gives you ability to retive your splunk data commands, alert-actions, catalog-metrics, search jobs by search-id etc from Maira workflows. You can also configure splunk webhook to send events to Maira.

Installation

For integrating with splunk, you have to download splunk enterprise edition and you need to provide your splunk authorization token. Make sure that the you are running splunk in localhost and configure it.

Helm Config

Below is sample configuration for enabling splunk integration through Helm Chart Values file

splunk:
  disabled: false
  clusters:
    splunk-default:
      addresses:
        - "https://localhost:8089"
      token: "Bearer <token>"
      tls_config:
        cert_file: ./certs/dev/localhost.crt
        key_file: ./certs/dev/localhost.key
        ca_cert: ./certs/dev/CA.crt
        insecure: true
  • disabled tag can be set to true to temporarily disable the service without removing the config
  • multiple clusters can be added under tag "clusters"
  • tag "tls_config" is optional

Direct Config

Below is sample configuration for enabling pagerduty integration

- name: splunk-default
          addresses:
            - "https://localhost:8089"
          request_headers_add:
            "content-type": "application/json"
            "Authorization": "Bearer <Token>"
          service_name: splunk
          tls_config:
            cert_file: ./certs/dev/localhost.crt
            key_file: ./certs/dev/localhost.key
            ca_cert: ./certs/dev/CA.crt
            insecure: true

Instructions to add a webhook

Maira client can add a webhook to store events related to splunk like reports and alerts of a search-job in Maira. After addding webhook, for every alert action a new Maira event is created and can be monitored using event commands. To enable authorization for webhooks in splunk, we have developed a custom webhook app 1. Download custom webhook app from https://github.com/pavansubhakar/splunk_alert_webhook. 2. Replace the folder /opt/splunk/etc/apps/alert_webhook with the alert_webhook folder in the above repository with downloaded app and restart the splunk service 3. Create a new alert in search and reporting app 4. Configure the alert action to trigger as required to send alerts to maira 5. Add custom webhook in trigger actions 6. In the dialog box, enter these values: Screenshot - Enter the webhook url : https://api.demo.maira.io/events/splunk?site=<site-name> - Enter Token url,Client ID, Client secret and custom payload Screenshot - click on save - you can edit configuration of alert from alerts tab Screenshot