All Apps and Add-ons

How to send triggered alerts from Splunk App for Unix and Linux to Omnibus tool?

bkondakindi
Path Finder

We have setup Splunk App for Unix and Linux and we are getting all alerts on dashboard from all configured hosts.

I have to send these trigger alerts to Omnibus tool. Any idea how we can do it from splunk side?

0 Karma

jbrodsky_splunk
Splunk Employee
Splunk Employee

There are many ways to send alerts from Splunk and have OMNIbus create events. One of the simplest ways would be to have Splunk write alert data via a standard alert action, line by line, into a flat file. Then use an OMNIbus flatfile gateway to read that file, take the contents, and create events in the Objectserver.

The flatfile gateway is lightweight enough that it can sit on a Splunk search head without creating too much overhead.

This has the advantage of using many capabilities native to OMNIbus, such as reliable delivery and store and forward.

Other ways of getting alert data could be using a command line like "logger" to log syslog containing Splunk alert data, and then use an OMNIbus syslog probe to pull data in. Or traps, and use an OMNIbus SNMP probe. Or use Splunk's DB Connect app to write results of searches to a database table, and have an OMNIbus database gateway bring the data into the Objectserver. Or have an alert action send to a socket and use an OMNIbus socket probe.

As you can see, there are many ways to do this. If you are going to do much with alert actions, I highly recommend Ron Naken's "Red Alert" app - it's like legos for Splunk alerting!

0 Karma

jbrodsky_splunk
Splunk Employee
Splunk Employee

There is not going to be a step-by-step walkthrough of how to do this - it is not "out of the box." I suggest you approach this in stages. First modify one of the alerts to echo data out to a flat file - read about alerting in the Alert Manual, especially the section on "Run a Script." Once you have the alert data written out to a flat file, install a OMNIbus flatfile gateway on your Splunk search head, and have it parse the resulting flat file as input. Create your OMNIbus rules file to suit. By the way, googling "Splunk Alerts" produces very relevant reading material in the first 3 links.

0 Karma

bkondakindi
Path Finder

Splunk Team thanks for quick update.

can you please specify the steps I have alerts on splunk app for Solaris and linux how i get those alerts into my omnibus tool. please specify the steps

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...