All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to send triggered alerts from Splunk App for Unix and Linux to Omnibus tool?

bkondakindi
Path Finder
‎08-20-2014 10:55 AM

We have setup Splunk App for Unix and Linux and we are getting all alerts on dashboard from all configured hosts.

I have to send these trigger alerts to Omnibus tool. Any idea how we can do it from splunk side?

0 Karma
Reply

jbrodsky_splunk
Splunk Employee
Splunk Employee
‎08-20-2014 11:36 AM

There are many ways to send alerts from Splunk and have OMNIbus create events. One of the simplest ways would be to have Splunk write alert data via a standard alert action, line by line, into a flat file. Then use an OMNIbus flatfile gateway to read that file, take the contents, and create events in the Objectserver.

The flatfile gateway is lightweight enough that it can sit on a Splunk search head without creating too much overhead.

This has the advantage of using many capabilities native to OMNIbus, such as reliable delivery and store and forward.

Other ways of getting alert data could be using a command line like "logger" to log syslog containing Splunk alert data, and then use an OMNIbus syslog probe to pull data in. Or traps, and use an OMNIbus SNMP probe. Or use Splunk's DB Connect app to write results of searches to a database table, and have an OMNIbus database gateway bring the data into the Objectserver. Or have an alert action send to a socket and use an OMNIbus socket probe.

As you can see, there are many ways to do this. If you are going to do much with alert actions, I highly recommend Ron Naken's "Red Alert" app - it's like legos for Splunk alerting!

0 Karma
Reply

jbrodsky_splunk
Splunk Employee
Splunk Employee
‎08-20-2014 12:07 PM

There is not going to be a step-by-step walkthrough of how to do this - it is not "out of the box." I suggest you approach this in stages. First modify one of the alerts to echo data out to a flat file - read about alerting in the Alert Manual, especially the section on "Run a Script." Once you have the alert data written out to a flat file, install a OMNIbus flatfile gateway on your Splunk search head, and have it parse the resulting flat file as input. Create your OMNIbus rules file to suit. By the way, googling "Splunk Alerts" produces very relevant reading material in the first 3 links.

0 Karma
Reply

bkondakindi
Path Finder
‎08-20-2014 11:54 AM

Splunk Team thanks for quick update.

can you please specify the steps I have alerts on splunk app for Solaris and linux how i get those alerts into my omnibus tool. please specify the steps

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...