Splunk - Alerting Extension

Use Case

Splunk www.splunk.com indexes and makes searchable data from any app, server or network device in real time including logs, config files, messages, alerts, scripts and metrics.

Prerequisites

  1. User needs to have edit_tcp permission to post events to Splunk

Installation Steps

  1. Find the zip file at 'splunk-alerting-extension.zip'

  2. Unzip the splunk-alerting-extension.zip file into /custom/actions/ . You should have /custom/actions/splunk-alert created.

  3. Check if you have custom.xml file in /custom/actions/ directory. If yes, add the following xml to the element.

        <action>
                <type>splunk-alert</type>
            <!-- For Linux/Unix *.sh -->
                <executable>splunk-alert.sh</executable>
            <!-- For windows *.bat -->
                <!--<executable>splunk-alert.bat</executable>-->
        </action>
    

    If you don't have custom.xml already, create one with the below xml content

      <custom-actions>
          <action>
              <type>splunk-alert</type>
            <!-- For Linux/Unix *.sh -->
              <executable>splunk-alert.sh</executable>
            <!-- For windows *.bat -->
              <!--<executable>splunk-alert.bat</executable>-->
          </action>
        </custom-actions>
    

    Uncomment the appropriate executable tag based on windows or linux/unix machine.

Setting up config.yml file

A sample config.yml file is included in splunk-alert/conf

  1. Edit the config.yml file to add information that allows the Controller to communicate with Splunk.
        
        # Host at which Splunk is reachable
        host: localhost
        # Port at which Splunk is reachable
        # Use the admin port, which is 8089 by default.
        port: 8089
        # Splunk username
        username: admin
        # Splunk password, provide password or passwordEncrypted and encryptionKey.
        password: admin

        passwordEncrypted:
        encryptionKey:

        #Proxy server URI
        proxyUri:
        #Proxy server user name
        proxyUser:
        #Proxy server password
        proxyPassword:

        #Index Name, should be available in Splunk
        index: appdynamics_events
        #Source Type
        sourceType: events

Note: An index with index name should be present in Splunk.

Installing Custom Actions:

To create a Custom Action, first refer to the the following topics (requires login):

Now you are ready to use this extension as a custom action. In the AppDynamics UI, go to Alert & Respond -> Actions. Click Create Action. Select Custom Action and click OK. In the drop-down menu you can find the action called 'splunk-alert'.

 

Contributing

Always feel free to fork and contribute any changes directly here on GitHub.

 

Support

For any questions or feature request, please contact AppDynamics Center of Excellence.

 

Version:

3.9.2

Compatibility:

4.x

Splunk Version:

6.2.0, 6.3.2, 6.3.3

Last Update:

09 Sep 2016

 

Note: This extension works only with a dedicated SaaS controller or an on-prem controller. Alerting extensions, currently do not support multi-tenant SaaS controllers. 

 

Release Notes:

  • Version 3.7.2 (06/25/2014)

    1) Updated the splunk libraries to fix post custom event issue

  • Version 3.8.1 (08/07/2015)

    1) Added support to 4.x controller

  • Version 3.8.2 (11 Feb 2016)

    1) Fixed multiple ad_affected_entity_name in the posted event by adding ad_evaluation_entity_name

  • Version 3.9.0 (15 Mar 2016)

    1) Using Splunk REST API to post events and removed Splunk and Splunk logging libraries

    2) Replaced .splunkrc with the config.yml

  • Version 3.9.1 (25 Aug 2016)

    1) config clean up and proxy support

  • Version 3.9.2 (09 Sep 2016)

    1) added root logger in log4j.xml