- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to send Splunk events and alerts to SCOM 2012 without using a script?
I've reviewed every previous response to here and all are pretty old. The best two being:
- docs.splunk [dot] com/Documentation/Splunk/6.2.5/alert/SendingSNMPtrapstoothersystems
- answers.splunk [dot] com/answers/68372/generate-snmp-trap-from-splunk.html
There must be a better way than relying on Powershell or Perl to achieve this, yet my research has come up empty. The Splunk Add-on for Microsoft SCOM is for sending SCOM data to Splunk - I need a solution for the opposite: Splunk to SCOM.
Has no one found a viable, non-script, solution for this? I would be happy to use a 3rd party connector/management pack if I could find one.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi smbateman,
Greetings from the future.
Recent versions of SCOM allow you to create an email Notification Channel https://docs.microsoft.com/en-us/system-center/scom/manage-notifications-create-email-channel?view=s... that you then have to subscribe to get the alerts send by Splunk using email.
Hope that helps ...
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk should write events and alerts into the local Windows log files and the SCOM agent will be monitoring the log file and forward the events to the SCOM server.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You're looking for an ETL (extract, transform, load) process. You can call it a "connector" all you want, but fact remains it will extract data from splunk, transform it into proper format for SCOM, and then load it into SCOM. This requires code whether if it is in the form of a "connector" or perl, or python, or powershell, etc..
If SCOM can support ODBC DSNs, then you can use the Splunk ODBC.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Use ETL tools all the time for data migration and consolidation - mostly analytics use cases - but for my Splunk to SCOM requirement, it would not solve; I need a solution to send real-time events and alerts. The Splunk users/admins are happy but in my enterprise, SCOM (for good or bad) is responsible for enterprise situational awareness, notifying, and ticket creation/management.
Your point - "This requires code whether if it is in the form of a "connector" or perl, or python, or powershell, etc.." - is spot on, no disagreement whatsoever. We are, however, averse to custom scripting and prefer a connector-ish, management pack-ish solution.
If PS/Perl is what I have to use, so be it, but I was hoping for a preferred method.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
😉 I'll convert to comment and who knows, maybe someone else will bring something up.
I think you might be interested in the ODBC deal but real time pretty much means you need to get the data from the original source vs relying on your splunk infrastructure.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also splunk likes to say it's easy to pull data out of splunk but they have every interest in keeping it within and do so very cunningly. You'll find issues pulling data out of splunk regardless of how you do it.
Instead, they'd rather you replace scom with splunk's "platform" as it will do all the notifications, alerting, etc. too.
