All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to send triggered alerts from Splunk App for Unix and Linux to Omnibus tool?

bkondakindi
Path Finder
‎08-20-2014 10:55 AM

We have setup Splunk App for Unix and Linux and we are getting all alerts on dashboard from all configured hosts.

I have to send these trigger alerts to Omnibus tool. Any idea how we can do it from splunk side?

0 Karma
Reply

jbrodsky_splunk
Splunk Employee
Splunk Employee
‎08-20-2014 11:36 AM

There are many ways to send alerts from Splunk and have OMNIbus create events. One of the simplest ways would be to have Splunk write alert data via a standard alert action, line by line, into a flat file. Then use an OMNIbus flatfile gateway to read that file, take the contents, and create events in the Objectserver.

The flatfile gateway is lightweight enough that it can sit on a Splunk search head without creating too much overhead.

This has the advantage of using many capabilities native to OMNIbus, such as reliable delivery and store and forward.

Other ways of getting alert data could be using a command line like "logger" to log syslog containing Splunk alert data, and then use an OMNIbus syslog probe to pull data in. Or traps, and use an OMNIbus SNMP probe. Or use Splunk's DB Connect app to write results of searches to a database table, and have an OMNIbus database gateway bring the data into the Objectserver. Or have an alert action send to a socket and use an OMNIbus socket probe.

As you can see, there are many ways to do this. If you are going to do much with alert actions, I highly recommend Ron Naken's "Red Alert" app - it's like legos for Splunk alerting!

0 Karma
Reply

jbrodsky_splunk
Splunk Employee
Splunk Employee
‎08-20-2014 12:07 PM

There is not going to be a step-by-step walkthrough of how to do this - it is not "out of the box." I suggest you approach this in stages. First modify one of the alerts to echo data out to a flat file - read about alerting in the Alert Manual, especially the section on "Run a Script." Once you have the alert data written out to a flat file, install a OMNIbus flatfile gateway on your Splunk search head, and have it parse the resulting flat file as input. Create your OMNIbus rules file to suit. By the way, googling "Splunk Alerts" produces very relevant reading material in the first 3 links.

0 Karma
Reply

bkondakindi
Path Finder
‎08-20-2014 11:54 AM

Splunk Team thanks for quick update.

can you please specify the steps I have alerts on splunk app for Solaris and linux how i get those alerts into my omnibus tool. please specify the steps

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...