Introduction

Integrating OpsRamp with Splunk enables IT teams to centralize and analyze critical IT operations data, including alerts, events, and logs, within Splunk’s powerful analytics platform.

This integration allows real-time data ingestion from OpsRamp into Splunk, improving visibility, incident management, and security monitoring. By leveraging Splunk’s advanced search, visualization, and machine learning capabilities, you can gain deeper insights into your IT infrastructure and proactively address issues before they impact business operations.

Key Benefits of OpsRamp-Splunk Integration

  • Real-Time Alert and Log Correlation – Seamlessly stream OpsRamp alerts and logs into Splunk to correlate IT and security events, enabling faster identification of root causes and reducing downtime.
  • Faster Incident Resolution – Leverage Splunk’s analytics alongside OpsRamp’s alert management to automate incident detection and response, significantly lowering mean time to resolution (MTTR).
  • Comprehensive IT Visibility – Integrate OpsRamp data with system logs, network activity, and application performance metrics in Splunk to create a holistic view of your IT infrastructure.
  • Enhanced threat detection and Compliance – Enhance security monitoring by feeding OpsRamp alerts into Splunk Security Information and Event Management (SIEM), helping detect threats, mitigate risks, and ensure compliance with industry standards.
  • Intelligent Automation and Response – Use Splunk’s automation capabilities to trigger actions in OpsRamp, such as incident creation, remediation scripts, or team notifications, improving operational efficiency.

Prerequisite

Install Splunk integration

  1. Navigate to Setup → Account. The Account Details screen is displayed.

  2. Select the Integrations tile. The Installed Integrations screen is displayed, with all the installed applications.

  3. If you do not have any installed applications, you will be navigated to the Available Integrations screen. The Available Integrations screen displays all the available applications along with the newly created application with the version.
    Note: Search for Splunk application using the search option available. Alternatively, search for Events from All Categories option and select it.

  4. Click ADD in Splunk tile. The SPLUNK (Inbound) screen is displayed.

  5. Enter the following basic details:

    Configure INBOUND communication

    AUTHENTICATION:

    Field NameField TypeDescription
    Authentication TypeDropdownOpsRamp supports APIs with OAUTH2 for Custom. Select OAUTH2.
    Tenant IDStringClick to generate the Tenant ID.
    TokenStringUse the copy icon to make a note of the token.
    Below is the Curl command to get the Alert dataStringUse the copy icon to make a note of the token.

    MAP ATTRIBUTES: Map Splunk entity attributes with OpsRamp entity.

    1. Click +ADD in the MAP ATTRIBUTES section. The ADD MAP ATTRIBUTES window is displayed.

    2. Enter the following information:

      Field NameField TypeDescription
      OpsRamp EntityDropdownSelect OpsRamp entity from the dropdown.
      OpsRamp PropertyDropdownSelect OpsRamp property from the dropdown. It will change based on entity selection.
      CUSTOM EntityStringEnter the Custom Entity in the box.
      CUSTOM PropertyStringEnter the Custom Property in the box.

      PARSING CONDITION:

      1. Click +ADD and provide the parsing condition:
      2. Select an operator from the dropdown:
        • BETWEEN – Define a range of values.
        • BEFORE – Extracts values occurring before a specified point.
        • AFTER – Extracts values occurring after a specified point.
        • Regex – Uses a regular expression pattern for flexible matching.
      3. Click SAVE.
        • Click +ADD to add more conditions.

      PROPERTY VALUES:

      1. Click +PROPERTY VALUE.
      2. Enter the following information and click SAVE:

      Field NameField TypeDescription
      SPLUNK Property ValueStringEnter Splunk property value in the box.
      OpsRamp Property ValueDropdownSelect a value from the dropdown.
      Based on the OpsRamp Property selected above, the options are displayed in this field.

    3. Click ADD MAP ATTRIBUTES. The mapped information is displayed in the MAP ATTRIBUTES section.

      • Click +ADD to add additional map attributes.
      • Use the three dots menu to edit or remove the map attributes.
      • Use Filter to filter the map attributes.

    ADDITIONAL SETTINGS: Select the Drop alerts from unmanaged resources checkbox if you do not want to trigger alerts from unmanaged resources.

    ENRICH AND CREATE ALERT: Select a process definition from the dropdown. You can customize the incoming alerts according to the properties defined in the Create Alert process definition.

  6. Click FINISH. The integration is installed.

If the provided Information is correct, then the integration will be saved without any errors.

The following table shows attribute mappings:

Third-Party EntityOpsRamp EntityThird-Party PropertyOpsRamp PropertyThird-Party Property ValueOpsRamp Property Value
EventAlertresult.statusalert.currentState200Ok
EventAlertresult.statusalert.currentState400Warning
EventAlerturi_queryalert.serviceName
EventAlertsearch_namealert.description
EventAlertresult.clientipalert.deviceName
EventAlertresult.req_timealert.alertTime
EventAlertsearch_namealert.subject

Splunk configuration

Step 1: Configure webhook for search and reporting

  1. Log into Splunk Admin UI.
  2. From the left pane of Splunk Cloud Home, click Search & Reporting.
  3. Click Save As and from the drop-down options, click Alert.
  4. Perform the following:
    1. Enter details as required.
    2. For Trigger Actions, click Add Actions and from the drop-down options select Webhook.
    3. For Webhook, enter the server URL to connect.
    4. Click Save.

Step 2: Configure webhook for the monitoring Console

  1. From Splunk Cloud Home, click Settings, Monitor Console. Open in Search for required statistics, performance, or usage.
  2. Click Save As and save it as Alert.
  3. Enter the alert details, webhook URL, and save the alert.

Example request payload

{
"owner":"eswaropsramp",
"sid":"scheduler__eswaropsramp__search__RMD5a012f6d028c57497_at_1570182600_80",
"app":"search",
"results_link":"<https://prd-p-kxc7q86hbsqw.cloud.splunk.com/app/search/@go?sid=scheduler__eswaropsramp__search__RMD5a012f6d028c57497_at_1570182600_80>)",
"search_name":"Week toDate",
"result":{
"method":"GET",
"cookie":"",
"Internal":
{
"test":{
"name":"Test"
}
},
"_kv":"1",
"clientip":"91.208.184.24",
"sourcetype":"access\_combined\_wcookie",
"_si":\[
"prd-p-kxc7q86hbsqw",
"main"
],
"date_hour":"8",
"version":"1.1",
"_eventtype_color":"",
"uri_path":"/category.screen",
"productId":"",
"date_mday":"2",
"eventtype":"",
"itemId":"EST-11",
"splunk_server_group":"",
"root":"",
"uri_domain":"",
"referer":"[http://www.buttercupgames.com/oldlink?itemId=EST-11](http://www.buttercupgames.com/oldlink?itemId=EST-11)",
"timestartpos":"19",
"file":"category.screen",
"uri":"/category.screen?categoryId=ACCESSORIES&JSESSIONID=SD4SL7FF1ADFF50438",
"splunk_server":"prd-p-kxc7q86hbsqw",
"user":"-",
"categoryId":"ACCESSORIES",
"timeendpos":"39",
"_cd":"0:201776",
"bytes":"2396",
"date_wday":"wednesday",
"date_zone":"local",
"ident":"-",
"index":"main",
"useragent":"Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; BOIE9;ENUS)",
"_serial":"0",
"_sourcetype":"access_combined_wcookie",
"_bkt":"main~0~B9626C15-AE58-49B8-8B5B-AF85CD3F65CB",
"source":"tutorialdata.zip:./www1/access.log",
"status":"200",
"tag":"",
"date_month":"october",
"_raw":"91.208.184.24 - - [02/Oct/2019:08:47:48\] " GET /category.screen?categoryId=ACCESSORIES&JSESSIONID=SD4SL7FF1ADFF50438 HTTP 1.1" 200 2396 "[http://www.buttercupgames.com/oldlink?itemId=EST-11](http://www.buttercupgames.com/oldlink?itemId=EST-11)" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; BOIE9;ENUS)" 614",
"linecount":"1",
"punct":"..._-_-_[//:::]_"_/.?=&=__."___"://../?=-"_"/._(;_",
"tag::eventtype":"",
"_time":"1570006068",
"uri_query":"categoryId=ACCESSORIES&JSESSIONID=SD4SL7FF1ADFF50438",
"date_minute":"47",
"date_year":"2019",
"req_time":"02/Oct/2019:08:47:48",
"host":"127.0.0.1",
"action":"",
"other":"614",
"referer_domain":"[http://www.buttercupgames.com](http://www.buttercupgames.com/)",
"date_second":"48",
"JSESSIONID":"SD4SL7FF1ADFF50438",
"_indextime":"1570096125"
}
}

Next steps

The next step is to install the Streaming Export integration.

  • Install Streaming Export integration

  • To View Splunk-related alerts in OpsRamp:

    1. From Command Center menu, click Alerts.
    2. On the Alerts screen, search with the Source name as Splunk. Related alerts are displayed.
    3. Click an Alert ID to view.