Creating tickets with Splunk

A lot of people have asked me recently how Splunk integrates with other products and solutions. While getting data INTO Splunk is a fairly simple process, accessing your data from another system seems to leave a bit of confusion with some admins. There are a number of reasons as to why some of our users want to export or push their data into another system, but the most common cause that I hear of is integration with a ticket or incident management system. So how do you do this? There are three ways to access your data, and they all start with ‘Alerts’ (this is when you setup a search and execute an external script or process).

The first step is determining exactly what you want to push out, and this is handled with a saved search (if used for ticketing, obviously it would be set to real-time). For example, I may write a search that is looking for Windows system with CPU that is averaging higher than 90% for more than 5 minutes (or just use the windows app!). I would need to determine which fields my ticketing system would need, so perhaps I use a table to sort the host, CPU average, and other information (perhaps assigning a severity).

With that search created, I can go one of three ways. The first is by launching a script, by setting up an alert on the search. What may seem counter-intuitive to some is that Splunk does not pass the results of the search directly to the 3rd party script. What it does do is passes the location of the results, which can be accessed by either reading the file that the results are stored in, or by accessing the saved search via the API.  You can read more about that here.

Ideally, you would create a tiny script that will read the results from Splunk by accessing the search (and it’s results) via the API, parse the information, and then pass the extracted data to your 3rd party system API.
An alternative for this approach is to use a script that captures the file location on the Splunk server, and then parses through that file(s), and performs a for_while loop on each result.

The third (and my favorite) method of getting the data out of Splunk is to use the incredibly useful app, Splunk Real Time Output (created by Alex Raitz). This utility allows users to not only map fields into a CEF format without getting into coding, but it can also be used to stream the data via TCP to any 3rd party system.

So there you have it! Create your real-time search, save it and set up an alert or to stream, and all of your work on the Splunk side is completed.

Dennis Bourg

Posted by