I am very new to Splunk and just attended Splunk Univeristy and Splunk conf.2016 which I found to be very good but left with some questions. We have had thoughts on perhaps replacing OMNIbus with Splunk. From what I can tell so far, it seems that Splunk would not be a good choice to use as an event manager. Am I correct? The Splunk IT Service Intelligence looks very exciting and appears to be the closest thing in Splunk to what OMNIbus does, but I do not see it as something to replace OMNIbus. Has anyone out there actually replaced OMNIbus with Splunk? I would be very interested in hearing thoughts around this.
Thank you!!!
You are generally correct so far. Sounds like you learned a lot last week! 🙂
Core Splunk does not do event management, but ITSI does go there with new features new 2.4 release. In particular, check out the Notable Event Review page in the docs, and I think you'll instantly get the point based on your OMNIbus knowledge.
Also, as @gfuente points out, SNMP is a key data source for most OMNIbus installs. It's not as common for Splunk use cases for many reasons, but customers do use Splunk to ingest SNMP data.
As nsmalley was writing: it all depends.
If you are looking for a software that fits 1:1 to the ITIL Event Management Process and you are willing to maintain it (cost and effort and knowledge): fine. If you need the WebUI functionality like right-click, assign, acknowledge: fine.
Just be aware that maintaining Netcool (and all the components like TIP, Impact, TBSM, ITNM, NCKL, the various other Rulesfiles, SQL Automations, Reporter Gateway,...) is also a BIG effort... and it covers just one use case: Event Management. And the raw data is destroyed in the ETL configuration of the Rulesfiles.
I'm not writing about software costs here.
IMO, replacing the look and feel of Netcool Omnibus plus its WebUI with Splunk 1:1 is something that you should not do.
But talking about the ITIL Processes, I personally believe that the interface between IT Operations Management and the IT Service Management Processes can be done with Splunk without a doubt. And splunkbase even has ready-made integration for example for ServiceNow for this. Plus, the ServiceNow App gives you ideas what else can be done w Splunk... for example reports for Continual Service Improvement.
Note: Yes, I'm with Splunk. Since 1,5 years. And yes: I have a Netcool background... 15 years in various roles. And to be honest: I'd rather be here at Splunk.
Agreed. Netcool is a HUGE effort. We have used it for many years now and are still just scratching the surface. Then again, we also only have a single administrator which is me 🙂
Cost is not addressed here. The question of "could it" seems narrow and the real question is "should it" replace Netcool. I wonder if the answers thus far come from folks who are inclined to use Splunk for everything . . .
To me it seems like I am creating a lot of stuff that exists out-of-the-box with Netcool. And then I have to maintain it . . . and figure out (although it may be trivial) how to digest SNMP and NetFlow, and integrate all the other inbound messages I process with Omnibus into Splunk. Then I have to create a dashboard and all of the other "right-click" functionality that's built into the Web GUI. And then I have to create an separate infrastructure to get syslog data from all the appliances, routers, switches . . .
Has anyone done this because it makes financial sense?
Just because it's possible doesn't mean it's a good idea.
The key thing to understand is "its all about data" !! Once you have all the data, then its just an app to make it for any functionality which could be alert/event-management. In my opinion, you could replace
- event management tools (like Tivoli suite/netcool/scom)
- other agents like pinger,
almost everything..
opportunities are endless once you have access to data.
I really wish I could create an app with Ansible + splunk alongside.. 🙂
Splunk is great for alot of things, Event Management is one of the new budding Capabilities that recently was brought to the forefront via the release of IT Service Intelligence 2.4. The short answer of can it replace Netcool/Omnibus/Webtop etc... is "it depends and does a journey outside of conventional Alert Management make sense to you and your organization". The longer answer is below.
To assure anyone with this question -yes, IT Service Intelligence is a Premium App, however it is built entirely on Splunk Core Concepts and was built from the ground up be used with Splunk Core Capabilities. No bolt on action occurred.
Netcool/Omnibus can indeed dedup events and ITSI 2.4 has this built in to Notable Events Aggregation Policy activities now. Most teams only want to see one event, and also want to see any other subsequent events after the fact, usually for Root Cause Analysis.
Reference: http://docs.splunk.com/Documentation/ITSI/2.4.0/User/HowtocreateAggregationPolicies
Now to the nuts and bolts of what are the dependencies of making a replacement possible.
Splunk is great at taking in datasets in masse and presenting correlations (either through know or through Machine Learning) for YOUR environment from both endpoints and other Tools, like in the description above, SNMP Polling or Receiving. Typically Splunk is not leveraged to do this work, however once mapping of OIDS to MIBS occurs it definitely makes sense to feed this detail into Splunk.
If you choose to use ITSI now this detail can present a much fuller picture when combined with other network, endpoint, APM, RUM, and Application level detail. These activities are then mapped to Technology and/or Business Services <- is what IT Services Intelligence does remarkable well.
I did not know that ITS could aggregate events... darn, that's impressive. This would be a fun project... jealous.
You are generally correct so far. Sounds like you learned a lot last week! 🙂
Core Splunk does not do event management, but ITSI does go there with new features new 2.4 release. In particular, check out the Notable Event Review page in the docs, and I think you'll instantly get the point based on your OMNIbus knowledge.
Also, as @gfuente points out, SNMP is a key data source for most OMNIbus installs. It's not as common for Splunk use cases for many reasons, but customers do use Splunk to ingest SNMP data.
Thank you all for the great information! I do not see this as a replacement either but wanted some other opinions on this as well. Splunk is a strong tool set that we are using and plan to expand on but not in terms of event management. Thank you!!!
It's been a while, so I'm trying to remember...
I have no doubt that Splunk can process the data that NetCool does and probably easier. That said, remember, NetCool "de-dups" events - that concept does not exist within Splunk. And, ITSI is an additional add-on, that you need to purchase. I think the other stuff (webtop, right-clicks, reporter, impact...) could all be replaced. And keep in mind that new data means more licensing - no idea how IBM licenses NetCool these days.
HTH...
I downvoted this post because itsi 2.4+ ships a new feature called notable event aggregation policies which do allow you to aggregate events.
Hello
You will need to redirect al snmp traps to Splunk and use this app
https://splunkbase.splunk.com/app/1537/
Then you could replace Omnibus with this app:
https://splunkbase.splunk.com/app/2665/
Generating alerts with the received traps
Hope it helps