3 Replies Latest reply on Jul 30, 2020 5:24 PM by Alejandro Cortes

    Did Anyone forwarded event from TrueSight cell to Splunk

    ABHAY BHAGAT
      Share This:

      Dear Experts ,

       

      Did Anyone forwarded event from TrueSight cell to Splunk

       

      or what is best possible way to achieve the same

        • 1. Re: Did Anyone forwarded event from TrueSight cell to Splunk
          Kaushik KM

          Hi ABHAY BHAGAT

           

          Creating a small shell script which calls curl and make a HTTP Post call to the Splunk HEC(Http event collector) would be the right option!

          A simple get_external function within a refine rule would do the work.

           

          Will try in my lab and update you more

          hope the idea helps!

          Thank you,

          Kaushik KM

          • 2. Re: Did Anyone forwarded event from TrueSight cell to Splunk
            Kaushik KM

            Hello ABHAY BHAGAT,

             

            Please find the steps below of what i tried,

             

            1. Create/Ask your splunk admin create an index for you, in my case i created "lcl_test"

            2.Setup an HTTP Event collector and get the token, and map the index which you created before.

            3.use curl to post json payload from Truesight server/remote cell server to HEC end point.

             

            Please find the screenshots and details below :

             

            1)Setup HEC:

             

            2)Setup at BMC side :

             

            Setup your shell script under the dir : (I am using Linux)

            pw/server/etc/<cell>/kb/bin/l

            vi send_to_splunk

            =========================shell script==================================

            #!/bin/bash

            #

            body={\"host\":\"${mc_host}\",\"sourcetype\":\"test_hec\",\"source\":\"test\",\"event\":{\"message\":\"${msg}\",\"parameter\":\"${mc_parameter}\"}}

            echo "${body}" >> /tmp/splunkpayload

            /usr/bin/curl -k https://<YOURSPLUNKHOST>:8088/services/collector/event -X POST -H "Authorization: Splunk 42f20dcf-49fc-47c6-8396-1e869c229260" -d ${body} >> /app/bmc/remcell/pw/server/etc/YOURCELL/kb/bin/l/splunk_execution_result.txt

             

             

            # Add logic here for failure and success detection and logging and actions.

            if [[ $? != 0 ]];

            then

            echo "Failed: $mc_ueid" >> /app/bmc/remcell/pw/server/etc/YOURCELL/kb/bin/l/Splunk_error_alerts.txt

            else

            echo "Success Splunk Curl executed : $mc_ueid" >> /app/bmc/remcell/pw/server/etc/YOURCELL/kb/bin/l/Splunk_success_alerts.txt

            fi

            ========================================shell script===================================================

             

            =========================================Interface class definition=========================================

            MC_INTERFACE: MYINTERFACECLASS

            DEFINES

            {

              splunk:  STRING,  default='Not available';

            };

            END

            ======================================================================================================

             

            ===========================================MRL========================================================

            refine send_to_splunk: EVENT ($EV)

            where [ $EV.status != 'CLOSED']

            {

                   ntadd($EV,'cellname : Executing send_to_splunk to forward events to splunk');

                   get_external(send_to_splunk,[],MYINTERFACECLASS,$SPLUNK);

                   ntadd($EV,'cellname : After get_external');

            }

            END

            =======================================MRL==============================================================

             

            3)Alerts found in Search Head:

             

            Note : Please adjust the syntax for the shell script and make necessary changes if required to get the slot values, which you access as environment variables.

            and also you can add whichever slots you want to the body variable.

             

             

            Thank you,

            Kaushik KM

            • 3. Re: Did Anyone forwarded event from TrueSight cell to Splunk
              Alejandro Cortes

              Hi,

               

              Good one Kaushik KM!, excuse me, do you know any way to send Splunk alerts or notifications to TrueSight cell or via REST API?

               

              Regards

               

              Alejandro Cortes