Splunk

The content type use most often for a Splunk integration is Alert. You may be able to use some of the other content types when you have Splunk set up as a Data Source.

We use the following endpoint to export Aisera Alerts (Events):

curl --location --request POST 'https://localhost:8089/services/search/v2/jobs/export' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Authorization: Basic c3B....' \
--data-urlencode 'search=search * | head 100' \
--data-urlencode 'output_mode=xml'

Integration Configuration

To create a new Splunk integration:

  1. Choose Settings > Integration in the Aisera Admin UI.

  2. Click the + New Integration button.

Choose the Splunk Icon

  1. Select the Splunk icon.

  2. Add a Name for the integration and type in the endpoint URL.

Add the Integration Name and Endpoint

  1. The Splunk integration supports Basic authorization. Provide a username and password. The port information is required, but will not be used. You can type any number is the Port field.

Choose the Auth Type and Add Basic Auth Information

Data Source Configuration

To create the Splunk Data Source:

  1. Select Settings > Data Source in the Aisera Admin UI.

  2. Click the + New Data Source button.

  3. Search for Splunk.

  4. Choose the Splunk icon.

Choose the Splunk Icon

  1. Give the data source a Name, select the Source Type (Upstream or Downstream), choose the name of the Integration you just created (in the previous steps), and set the Schedule configuration.

Choose the Type, Integration, and Schedule

  1. Click Next.

  2. Don't enter any values on the Search Query page in the Configuration tab. The Search Query on this page is ignored.

Ignore the Configuration Tab Variables

  1. Click OK.

  2. Provide the actual Port Number and the Search Query as an override configuration.

Override Parameters

The example in the screenshot above is:

{
  "contextParameters": {
    "port": "8089",
    "search_query":"search * | head 100"
  }
}

One easy option to fetch the last 100 events is:

search * | head 100

You can find the official Splunk documentation on SPL2 (the query language that Splunk uses) at the following link: SPL2 Command Quick Reference - Splunk Documentation

Field Maps

The field maps for Splunk Data Sources may need to be manually configured, depending on the schema of the Splunk Alerts. Look at the Field Mapping on the Data Sources page after the Alerts data has been ingested.

PreviousSetting Up Cribl with AiseraNextZendesk Community Posts

Last updated