All Apps and Add-ons

Condensed installation instructions for integrating Splunk and MS Systems Operations Manager (SCOM)

Splunk Employee
Splunk Employee

Splunk Add-on for Microsoft System Center Operations Manager


Install Splunk Enterprise on Linux server that will act as Search Head and Indexer (50 Gb) licenses.

Install the SCOM-TA ( on this Splunk instance
- Turn on Receiving – Port 9997

On a server where a SCOM Operations Monitor runs, install Splunk Enterprise.

- Set up this instance as a Heavy Forwarder
o Log into Splunk Web as admin on the instance that will be forwarding data.
o 2. Click the Settings > Forwarding and receiving.
o 3. Click Add new at Configure forwarding.
o 4. Enter the hostname or IP address for the receiving Splunk instance(s), along with the receiving port specified when the receiver was configured. For example, you might enter: To implement load-balanced forwarding, you can enter multiple hosts as a comma-separated list.
o 5. Click Save.
- Install the SCOM-TA on this Splunk instance.
- Launch the SCOM-TA configuration App.
o in the SCOM TA Inputs section on you will need to select "Enable" for each input you wish to collect after you have edited its configuration. (see here for details:
o Specify SCOM Operations Monitor server (localhost) and credentials
o Specify an index
 index that you specify on the heavy forwarder must be configured on the Indexer before you enable the inputs.
o Specify a start date to collect the data.
o Enable the Input
- It could take awhile for events to start showing in your index.
- For errors that occur when PowerShell calls the SCOM scripts, monitor:
o index=_internal source=*ta_scom.log
o Run this on the Search Head

An Error that I got while monitoring the *ta_scom.log:
- New SCOMManagementGroupConnection Fail: The request was aborted: Could not create SSL/TLS secure channel.
- I followed Answers post:
- PowerShell uses TLS 1.0 as default, and the Splunk web services was configured to use TLS 1.2. I added the following line to \Splunk\etc\apps\Splunk_TA_microsoft-scom\bin\scom_command_loader.ps1 at line 10 and it fixed the problem:
o [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

Another issue that hit me:
- index=_internal source=*ta_scom.log, uncovered this message:
o "2018-03-14 15:18:39 -04:00 [ log_level=WARN pid=7916 input=_Splunk_TA_microsoft_scom_internal_used_Events ] Execute command 'Get-SCOMTask' failed. The user IN\xxxxxxxx does not have sufficient permission to perform the operation.
 I switch to credentials (on the SCOM-TA) to a SCOM user that had Database reader access and permissions to launch the SCOM command shell. My original SCOM user did not have the necessary privileges.

Then I had SCOM events showing up in my Indexer.

Another Answers post that provides information on the installation/configuration of SCOM:

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...