How can we help?
Table of Contents
< All Topics
Print

Splunk Integration with WatchMyDC®

PostedJanuary 7, 2023
UpdatedJanuary 7, 2023
Bywatchmydc

Introduction

This document describes the process of Splunk integration method with WatchMyDC®. The Splunk Enterprise version 8.2.3.3 (build e40ea5a516d2) is used while creating this document.

Dependencies

  1. The WatchMyDC® Notifier is required for this integration. The notified is a dedicated app for Splunk integration with WatchMyDC®. Customers can download the app from this URL and store it on the user PC.
  2. WatchMyDC® Collector status should be ‘online’ and the user needs the below information from the WatchMyDC® Dashboard:
    • Organization ID
    • Collector IP Address
  3. Port TCP/5050 needs to be open on the direction from the Splunk Enterprise towards the WatchMyDC® Collector.
  4. Please follow this document to bring the WatchMyDC® Collector online.

Splunk Integration Procedure

Configuration on the WatchMyDC® Dashboard

  1. Login to WatchMyDC® Dashboard and select a Site and Network/Data Center
  2. Navigate to Configuration Center and then App Synchronization page
splunk integration

3. Click on the Splunk icon, and then click to generate the Webhook Secret, copy the key.

Configuration on the Splunk Enterprise User Interface

  1. Login to the Splunk Enterprise and click App settings icon:
splunk enterprise

2. Click on the ‘Install app from file’:

splunk integration

3. Browse the WatchMyDC Notifier app:

splunk integration

4. WatchMyDC Notifier app will be seen in the Apps list:

splunk integration

5. Click on Set up:

splunk integration

6. Set below parameters on required fields:

  • WatchMyDC Collector Webhook Receiver: ‘{your collector IP}:5050’
  • Organization ID: your Organization ID, collected from Organization Settings or Configuration Center > Collector page
  • Webhook Secret: Collected from the Step#3 on this document

7. Click on Permissions, set required permissions. On this document we have set Read/Write permission to Everyone

Further Actions

  1. Below example demonstrates the procedure to create a Trigger Action in Splunk. One Apache Unix server with Splunk Universal Forwarder has been setup to send Apache error logs to Splunk Index server. 
    • Navigate to Splunk Search & Reporting app
    • Make a search query, below is an example to search for Apache service ‘shutting down’ state, save the query using Save As.
index="10-23_os_log" sourcetype=apache_log shutting

Engage WatchMyDC Notifier with the subject search result as seen below:

splunk integration
splunk integration

As soon as the alert hits the Splunk, it sends the Webhook message to WatchMyDC®. The below image is from the Splunk Enterprise: 

splunk integration

The below message appears in WatchMyDC®:

splunk integration

2. Customers are able to create an Alert Definition on WatchMyDC® from the Action Center by engaging Automation playbooks.

A detail demonstration video will be published very soon!