Share This:

Splunk is a Enterprise Application that will collect data from different sources, and aggregate them under one console allowing for a more complete knowledge when troubleshooting or analyzing environments for problems.  Splunk has the ability to ingest several log types, including Windows Server Event logs, Linux System logs, and application logs.  BMC Remedy products have their own logs that are logged to files found on the application server independent of the system logs itself. Because of this, there are additional steps that might be needed as compared to other systems to allow Splunk to consume BMC Remedy logs.  Splunk provides all of the tools needed to do this, and BMC does not provide support to execute any of these actions.

The following steps are some high-level steps that you can perform to collect logs from your BMC Remedy servers and push them into Splunk.  If there are any questions about these steps first please view Splunk’s Universal Forwarder and Splunk Enterprise documentation (link below), or contact Splunk for more information.

https://docs.splunk.com/Documentation/Forwarder/latest/Forwarder/HowtoforwarddatatoSplunkEnterprise

Configure Splunk to Receive Logs (Enable a receiver)

 

1. Log into the Splunk Enterprise Administration Console

2. Click on “Settings -> Forwarding and Receiving”

3. Click “Add New” Under the Receive Data section.

4. Provide a port to receive the logs with, click “Save”

5. It will then bring up the Receive summary page.  You can add a new receiver here and review others.  (In a typical Production Environment, you’ll have several Receive ports configured.  Consult your Splunk Administrator if you have questions about which one to use)

 

Splunk Enterprise is now ready to receive data from a new Splunk Forwarder.  If for any reason the Splunk Server is not working, please contact Splunk as this is their application.  BMC will not provide support for this product and this documentation is provided AS IS, as a courtesy.

 

 

Install Splunk Forwarder On Same Server As Remedy AR System Server

 

1. Start Splunk Forwarder Installer.  Read and Accept the License Agreement from Splunk.  Choose if you’re using Splunk On-Premise or Splunk Cloud and click “Customize Options”

2. Choose install location and click “Next”.

3. Configure the SSL Certificates based on your organizations configuration, click “Next” to continue. If you have questions, ask your Splunk Admin.

4. Select the type of account to use by the Splunk Forwarder application.

5. Choose what data you want to be sent to the Splunk Server by the Forwarder.  For the purposes of Remedy AR System, you’ll need to select the DIRECTORY of your “DB” folder. After this is configured, click “Next”.

6. Configure the Splunk Administrator account, click “Next”.

7. Configured your Deployment Server.  This should be the Splunk Server’s configuration process.  If you don’t know this information, contact your Splunk Administrator. Click “Next” to continue.

8. Configure your Splunk Forwarder to send the data to the Receiver we created before.  Click “Next” to continue.

9. Click “Install” to proceed with the installation of the Splunk Forwarder.

10. Once the installation is complete, the forwarder is configured and running as needed for a Remedy AR System Server instance.  Click “Finish” to end the installation.

 

If for any reason the forwarder is not working, please contact Splunk as this is their utility. BMC will not provide support for this product and this documentation is provided AS IS, as a courtesy.

Consume Remedy Logs in Splunk

 

1. Log into the Splunk Enterprise Administration Console


2. Click “Settings -> Add Data” to open the “Add Data” wizard.


3. Choose the method to gather logs from.  To collect Logs from Remedy AR System Server, use a Splunk Forwarder by clicking “Forward” from the “Or get data in with the following methods” section.


4. On the “Select Forwarders” section, choose the forwarder that you want to collect, and give it a New Server Class Name.  In this example, we’re going to Select the server “clm-aus-tt8f8w” and then give the new name of “REM1908” as this is a Remedy 19.08 System.  Click “Next” to move to the next section.  You can obviously choose the Server Class name as whatever you want it to be, just make sure it is relevant to your scenario and that you can easily remember and use it.


5. Choose the source as “Files & Directories”, and choose the file you want to consume. In this example, we’re going to consume the armonitor.log file.  You can choose to setup a whitelist or blacklist if desired.  Click “Next” to continue to the next section.


6. Choose the Source Type as a “New” option and then fill out the source information as needed, if you have questions about what to select contact your Splunk Admin. Then choose a Index for use with this application.  If you need to create one, contact your Splunk Administrator.  Click “Review” to continue to the next section.


7. Once you review and confirm the settings, click “Submit” to finish the log collection.


8. Once you’ve clicked “Submit” it will start indexing the logs.  This might take some time the first time you do it. Additionally, you can start to groom the data to make better use of it.

This includes Extracting Fields, adding additional data, and building Dashboards.  You can do all of these from the final page.

Splunk Enterprise is now receiving data from the Splunk Forwarder installed on the Remedy Server. If for any reason the Splunk Server is not working, please contact Splunk as this is their application.  BMC will not provide support for this product and this documentation is provided AS IS, as a courtesy.