Set up Solarwinds alerts in ITSI
Prerequisites
- You must have Solarwinds installed. For more information, see the Solarwinds site.
Installation
- Select a Solarwinds product. For example, SolarWinds SAM.
- Download the setup file.
- Provision a Windows virtual machine.
- Run the setup exe file and follow the guided installation steps.
- Verify that Solarwinds is running by going to the Solarwinds Platform web console.
- Go to the web console and create a Solarwinds account, noting your username and password.
SolarWinds webhook setup
- Edit the apps/SA-ITOA/local/itsi_data_integration_template.conf file to include the following template:
[solarwinds] title = Solarwinds Default Template _key = solarwinds data_source = solarwinds mapping_fields = [ \ { \ "name": "src", \ "display_name": "Source", \ "type": "notable_event_field", \ "required": true, \ "input_type": "composition", \ "default_selected_field": "src" \ }, \ { \ "name": "signature", \ "display_name": "Signature", \ "type": "notable_event_field", \ "required": true, \ "input_type": "composition", \ "default_selected_field": "signature" \ }, \ { \ "name": "vendor_severity", \ "display_name": "Vendor Severity", \ "type": "notable_event_field", \ "required": true, \ "input_type": "composition", \ "default_selected_field": "vendor_severity" \ }, \ { \ "name": "severity_id", \ "display_name": "Severity ID", \ "type": "notable_event_field", \ "required": true, \ "input_type": "composition", \ "default_selected_field": "severity_id" \ }, \ { \ "name": "title", \ "display_name": "Title", \ "type": "notable_event_field", \ "required": true, \ "input_type": "composition", \ "default_selected_field": "title" \ }, \ { \ "name": "owner", \ "display_name": "Owner", \ "type": "notable_event_field", \ "required": true, \ "input_type": "conf", \ "default_selected_key": "unassigned", \ "default_value": "unassigned" \ }, \ { \ "name": "status", \ "display_name": "Status", \ "type": "notable_event_field", \ "required": true, \ "input_type": "conf", \ "default_selected_key": "1", \ "default_value": "1" \ }, \ { \ "name": "subcomponent", \ "display_name": "Subcomponent", \ "type": "notable_event_field", \ "input_type": "mapping_rule", \ "rule_type": "coalesce", \ "required": true, \ "values": ["{subcomponent}", ["-"]] \ }, \ { \ "name": "alert_identifier_fields", \ "display_name": "Alert Identifier Fields", \ "type": "notable_event_field", \ "required": true, \ "input_type": "composition", \ "values": \ [ \ "{signature}", \ "-", \ "{src}", \ "-", \ "{subcomponent}" \ ], \ "default_value": "default_identifier" \ }, \ { \ "name": "description", \ "display_name": "Description", \ "type": "notable_event_field", \ "required": false, \ "input_type": "composition", \ "default_selected_field": "description" \ }, \ { \ "name": "app", \ "display_name": "App", \ "type": "notable_event_field", \ "required": false, \ "input_type": "composition", \ "default_selected_field": "app" \ }, \ { \ "name": "itsiDrilldownSearchName", \ "display_name": "ITSI Drilldown Search Name", \ "type": "notable_event_field", \ "required": false \ }, \ { \ "name": "itsiDrilldownSearch", \ "display_name": "ITSI Drilldown Search", \ "type": "notable_event_field", \ "input_type": "composition", \ "required": false, \ "default_selected_field": "itsiDrilldownSearch" \ }, \ { \ "name": "itsiDrilldownEarliestOffset", \ "display_name": "ITSI Drilldown earliest offset", \ "type": "notable_event_field", \ "default_value": "-900", \ "input_type": "mapping_rule", \ "rule_type": "coalesce", \ "required": false, \ "values": ["{itsiDrilldownEarliestOffset}", ["-900"]] \ }, \ { \ "name": "itsiDrilldownLatestOffset", \ "display_name": "ITSI Drilldown latest offset", \ "type": "notable_event_field", \ "default_value": "900", \ "input_type": "mapping_rule", \ "rule_type": "coalesce", \ "required": false, \ "values": ["{itsiDrilldownLatestOffset}", ["900"]] \ }, \ { \ "name": "itsiDrilldownWebName", \ "display_name": "ITSI Drilldown Website Name", \ "type": "notable_event_field", \ "input_type": "mapping_rule", \ "rule_type": "case", \ "required": false, \ "values": [ \ { \ "condition": "IF", \ "clauses": [ \ { \ "field": "itsiDrilldownWebName", \ "operator": "is not null" \ } \ ], \ "outcomes": [ \ "{itsiDrilldownWebName}" \ ] \ }, \ { \ "condition": "ELSE_IF", \ "clauses": [ \ { \ "field": "itsiDrilldownWebURL", \ "operator": "is not null" \ } \ ], \ "outcomes": [ \ "{title}" \ ] \ }, \ { \ "condition": "ELSE", \ "outcomes": [ \ "Sorry, no external drilldown available" \ ] \ } \ ] \ }, \ { \ "name": "itsiDrilldownWebURL", \ "display_name": "ITSI Drilldown Website URL", \ "type": "notable_event_field", \ "required": false, \ "input_type": "composition", \ "default_selected_field": "itsiDrilldownURI" \ }, \ { \ "name": "itsi_instruction", \ "display_name": "ITSI Instruction", \ "type": "notable_event_field", \ "required": false \ } \ ] throttling_group_by_fields = ["signature", "src", "subcomponent"] mapping_field_options = [] status_id_mapping = - Log in to the Solarwinds web console.
- From the navigation menu, select the Alerts & Activity page.
- Select Alert Manager.
- Create a new alert, or edit an existing alert on the page.
- To create a new alert, select Add New Alert.
- To edit an existing alert, select the alert from the list and select Edit.
- In the Trigger Actions section, select Add Action.
- Select Send a GET or POST Request to a Web Server from the list of action types.
- Enter the URL for your Splunk HTTP Event Collector (HEC) endpoint. This typically follows the format:
http://<splunk-server>:8088/services/collector/event. - Select Use HTTP/SPOST.
- Set the Body to POST to:
{ "sourcetype":"solarwinds:alert:hec", "event":{ "timestamp": "${N=SWQL;M=SELECT GETUTCDATE() as a1 FROM Orion.Engines}", "vendor_severity": "${N=Alerting;M=Severity}", "severity_id":"${N=SWQL;M=SELECT TOP 1 CASE AlertConfigurations.Severity WHEN 0 THEN 1 WHEN 1 THEN 3 WHEN 2 THEN 6 WHEN 3 THEN 5 WHEN 4 THEN 2 ELSE 1 END AS ModifiedSeverity FROM Orion.AlertObjects INNER JOIN Orion.AlertConfigurations ON AlertObjects.AlertID = AlertConfigurations.AlertID WHERE AlertObjects.AlertObjectID = ${N=Alerting;M=AlertObjectID} }", "app": "${N=Generic;M=Application}", "title": "${N=Alerting;M=AlertName}", "description": "${N=Alerting;M=AlertDescription}", "signature":"${N=Alerting;M=AlertMessage}", "src": "${N=SWQL;M=SELECT TOP 1 RelatedNodeCaption FROM Orion.AlertObjects WHERE AlertObjectID = ${N=Alerting;M=AlertObjectID} }", "object": "${N=SWQL;M=SELECT TOP 1 EntityCaption FROM Orion.AlertObjects WHERE AlertObjectID = ${N=Alerting;M=AlertObjectID} }", "src_type": "${N=Alerting;M=ObjectType}", "itsiDrilldownURI": "${N=Alerting;M=AlertDetailsUrl}", "host_url": "${N=SWQL;M=SELECT TOP 1 RelatedNodeDetailsUrl FROM Orion.AlertObjects WHERE AlertObjectID = ${N=Alerting;M=AlertObjectID} }", "itsiDrilldownWeb":"Open Alert in Solarwinds", "solarwinds_object_id": "${N=Alerting;M=AlertObjectID}", "id": "${N=Alerting;M=AlertDefID}", "subcomponent": "${N=SwisEntity;M=IP_Address}", "nodename": "${NodeName}", "vendor_region": "${N=SwisEntity;M=Location}" }} - Enter application/json as the content type.
- In the Authentication section, select Token. Set the fields to the following values:
- Header name: Authorization
- Header Value: Splunk <HEC Token>
- Select Save Changes.
Test Solarwinds alert
- On the Trigger Actions section, select the button under the Simulate column and select an alert to simulate. A success message confirms that the integration was properly set up.
- On the Search page in Splunk, you should begin to see data after running a search with your webhook as the source. For example: .
index=main sourcetype="solarwinds:alert:hec"