Splunk Configuration

You configure ObserveIT TA to reach the ObserveIT REST API and retrieve report data.

Creating Application in ITM On-Prem

To integrate ITM On-Prem with Splunk using RESTful API, you register the application to authenticate access. Oauth2 is the method of authenticating access to the ObserveIT RESTful API.

This procedure describes how to generate a token that you use when you configure ObserveIT TA for Splunk.

  1. From the ITM On-Prem (ObserveIT) Web Console, click the ?  in the upper-right corner and select Developer Portal from the menu.

    If the Developer Portal is not installed by default, you will be prompted to install it.

  2. From the Developer Portal, select Credentials and then click the Create App button.

     

    The Create Application dialog box displays. This is where you register the application.

  3. Do the following:

    1. In the Application Name field, enter a name. It is recommended that you choose a name you can recognize, such as Splunk, Splunk1 etc.

    2. In Allowed Grants, check Client Credentials.

    3. Click Save and the application is added to the list.

  4. Click the application you just created. The dialog box for generating a token displays.

     

    Note the Client Id and Client Secret values. You will enter them into the configuration screen of the Splunk add-on.

Creating New Index for ObserveIT (example “oit” index)

  1. Create a new index from the Indexes screen.

  2. Click New Index and the New Index dialog box opens.

  3. Provide an Index Name. In the example, the new index is "oit".

    In the example below , you can see the button to create the “New Index:, example “oit”

Configuring ObserveIT TA for Splunk

This procedure describes the registration process in Splunk.

Your ObserveIT instance(s) need to be registered as the Splunk Technology Add-on (TA). The access token (with the Client ID and Client Secret you generated in the ObserveIT Developer Portal will be used to authenticate with the API.

If you would like to store ObserveIT events in their own index, create it on the indexer before following these configuration steps.

  1. Open the ObserveIT TA app in Splunk and click Create New Input.

  2. Complete the Add ObserveIT API dialog box.

    1. Enter a unique Name that represents the ObserveIT instance, for example use the hostname such as Splunk.

    2. In the Interval and Events Pagination fields, enter values you want. Make sure that their combination is sufficient to ingest your anticipated event rate.

    3. The Reports API URL is formatted as:

      https://<hostname>:<port> /v2/apis/report;realm=observeit/reports
    4. In the Client ID and Client Secret, enter the values you copied when the application was created in ObserveIT. (See: Creating Application in O.)

    5. To include existing events on your system, in the Historical Data To Pull field, select the time period you want to go back to. Select None, if you want only new events to be loaded.

    6. Select Reports to Collect.

  3. The input requires CA certificate (mandatory). You must provide the path to CA certificate chain file, relative to $SPLUNK_HOME. Default CA certificates that will be used if no file name is provided. For example, the certificate file name is: cer\itmdemo-sales-demo-ca.cer.

    1. Upload the CA certificate chain file to the Splunk server. The file should be saved in a directory under /opt/splunk and should be readable by the user running the Splunk service.

    2. Update input configurations – specify the relative CA certificate path (e.g if you’ve saved the chain file as /opt/splunk/etc/auth/mychain.pem then the input should be etc/auth/mychain.pem.

  4. Choose the reports you want to load in Splunk:

  • UI Activities: User interface activity events from Windows or Mac agents

  • Command Activities: Commands run on UNIX agents

  • Alerts: Alert events from all agents

This is a less secure option and should not be used in production.