Set up Solarwinds alerts in ITSI

Prerequisites

  • You must have Solarwinds installed. For more information, see the Solarwinds site.

SolarWinds webhook setup

  1. Edit the apps/SA-ITOA/local/itsi_data_integration_template.conf file to include the following template:
    JSON 
    [solarwinds]
title = Solarwinds Default Template
_key = solarwinds
data_source = solarwinds
mapping_fields = [ \
    { \
        "name": "src", \
        "display_name": "Source", \
        "type": "notable_event_field", \
        "required": true, \
        "input_type": "composition", \
        "default_selected_field": "src" \
    }, \
    { \
        "name": "signature", \
        "display_name": "Signature", \
        "type": "notable_event_field", \
        "required": true, \
        "input_type": "composition", \
        "default_selected_field": "signature" \
    }, \
    { \
        "name": "vendor_severity", \
        "display_name": "Vendor Severity", \
        "type": "notable_event_field", \
        "required": true, \
        "input_type": "composition", \
        "default_selected_field": "vendor_severity" \
    }, \
    { \
        "name": "severity_id", \
        "display_name": "Severity ID", \
        "type": "notable_event_field", \
        "required": true, \
        "input_type": "composition", \
        "default_selected_field": "severity_id" \
    }, \
    { \
        "name": "title", \
        "display_name": "Title", \
        "type": "notable_event_field", \
        "required": true, \
        "input_type": "composition", \
        "default_selected_field": "title" \
    }, \
    { \
        "name": "owner", \
        "display_name": "Owner", \
        "type": "notable_event_field", \
        "required": true, \
        "input_type": "conf", \
        "default_selected_key": "unassigned", \
        "default_value": "unassigned" \
    }, \
    { \
        "name": "status", \
        "display_name": "Status", \
        "type": "notable_event_field", \
        "required": true, \
        "input_type": "conf", \
        "default_selected_key": "1", \
        "default_value": "1" \
    }, \
    { \
        "name": "subcomponent", \
        "display_name": "Subcomponent", \
        "type": "notable_event_field", \
        "input_type": "mapping_rule", \
        "rule_type": "coalesce", \
        "required": true, \
        "values": ["{subcomponent}", ["-"]] \
    }, \
    { \
        "name": "alert_identifier_fields", \
        "display_name": "Alert Identifier Fields", \
        "type": "notable_event_field", \
        "required": true, \
        "input_type": "composition", \
        "values": \
        [ \
            "{signature}", \
            "-", \
            "{src}", \
            "-", \
            "{subcomponent}" \
        ], \
        "default_value": "default_identifier" \
    }, \
    { \
        "name": "description", \
        "display_name": "Description", \
        "type": "notable_event_field", \
        "required": false, \
        "input_type": "composition", \
        "default_selected_field": "description" \
    }, \
    { \
        "name": "app", \
        "display_name": "App", \
        "type": "notable_event_field", \
        "required": false, \
        "input_type": "composition", \
        "default_selected_field": "app" \
    }, \
    { \
        "name": "itsiDrilldownSearchName", \
        "display_name": "ITSI Drilldown Search Name", \
        "type": "notable_event_field", \
        "required": false \
    }, \
    { \
        "name": "itsiDrilldownSearch", \
        "display_name": "ITSI Drilldown Search", \
        "type": "notable_event_field", \
        "input_type": "composition", \
        "required": false, \
        "default_selected_field": "itsiDrilldownSearch" \
    }, \
    { \
        "name": "itsiDrilldownEarliestOffset", \
        "display_name": "ITSI Drilldown earliest offset", \
        "type": "notable_event_field", \
        "default_value": "-900", \
        "input_type": "mapping_rule", \
        "rule_type": "coalesce", \
        "required": false, \
        "values": ["{itsiDrilldownEarliestOffset}", ["-900"]] \
    }, \
    { \
        "name": "itsiDrilldownLatestOffset", \
        "display_name": "ITSI Drilldown latest offset", \
        "type": "notable_event_field", \
        "default_value": "900", \
        "input_type": "mapping_rule", \
        "rule_type": "coalesce", \
        "required": false, \
        "values": ["{itsiDrilldownLatestOffset}", ["900"]] \
    }, \
    { \
        "name": "itsiDrilldownWebName", \
        "display_name": "ITSI Drilldown Website Name", \
        "type": "notable_event_field", \
        "input_type": "mapping_rule", \
        "rule_type": "case", \
        "required": false, \
        "values": [ \
            { \
                "condition": "IF", \
                "clauses": [ \
                    { \
                        "field": "itsiDrilldownWebName", \
                        "operator": "is not null" \
                    } \
                ], \
                "outcomes": [ \
                    "{itsiDrilldownWebName}" \
                ] \
            }, \
            { \
                "condition": "ELSE_IF", \
                "clauses": [ \
                    { \
                        "field": "itsiDrilldownWebURL", \
                        "operator": "is not null" \
                    } \
                ], \
                "outcomes": [ \
                    "{title}" \
                ] \
            }, \
            { \
                "condition": "ELSE", \
                "outcomes": [ \
                    "Sorry, no external drilldown available" \
                ] \
            } \
        ] \
    }, \
    { \
        "name": "itsiDrilldownWebURL", \
        "display_name": "ITSI Drilldown Website URL", \
        "type": "notable_event_field", \
        "required": false, \
        "input_type": "composition", \
        "default_selected_field": "itsiDrilldownURI" \
    }, \
    { \
        "name": "itsi_instruction", \
        "display_name": "ITSI Instruction", \
        "type": "notable_event_field", \
        "required": false \
    } \
]
throttling_group_by_fields = ["signature", "src", "subcomponent"]
mapping_field_options = []
status_id_mapping =
  2. Log in to the Solarwinds web console.
  3. From the navigation menu, select the Alerts & Activity page.
  4. Select Alert Manager.
  5. Create a new alert, or edit an existing alert on the page.
    • To create a new alert, select Add New Alert.
    • To edit an existing alert, select the alert from the list and select Edit.
  6. In the Trigger Actions section, select Add Action.
  7. Select Send a GET or POST Request to a Web Server from the list of action types.
  8. Enter the URL for your Splunk HTTP Event Collector (HEC) endpoint. This typically follows the format: http://<splunk-server>:8088/services/collector/event.
  9. Select Use HTTP/SPOST.
  10. Set the Body to POST to:
    JSON 
    {
"sourcetype":"solarwinds:alert:hec",
 "event":{
"timestamp": "${N=SWQL;M=SELECT GETUTCDATE() as a1 FROM Orion.Engines}",
"vendor_severity": "${N=Alerting;M=Severity}",
"severity_id":"${N=SWQL;M=SELECT TOP 1 CASE AlertConfigurations.Severity WHEN 0 THEN 1 WHEN 1 THEN 3 WHEN 2 THEN 6 WHEN 3 THEN 5 WHEN 4 THEN 2 ELSE 1 END AS ModifiedSeverity FROM Orion.AlertObjects INNER JOIN Orion.AlertConfigurations ON AlertObjects.AlertID = AlertConfigurations.AlertID WHERE AlertObjects.AlertObjectID = ${N=Alerting;M=AlertObjectID} }",
"app": "${N=Generic;M=Application}",
"title": "${N=Alerting;M=AlertName}",
"description": "${N=Alerting;M=AlertDescription}",
"signature":"${N=Alerting;M=AlertMessage}",
"src": "${N=SWQL;M=SELECT TOP 1 RelatedNodeCaption FROM Orion.AlertObjects WHERE AlertObjectID = ${N=Alerting;M=AlertObjectID} }",
"object": "${N=SWQL;M=SELECT TOP 1 EntityCaption FROM Orion.AlertObjects WHERE AlertObjectID = ${N=Alerting;M=AlertObjectID} }",
"src_type": "${N=Alerting;M=ObjectType}",
"itsiDrilldownURI": "${N=Alerting;M=AlertDetailsUrl}",
"host_url": "${N=SWQL;M=SELECT TOP 1 RelatedNodeDetailsUrl FROM Orion.AlertObjects WHERE AlertObjectID = ${N=Alerting;M=AlertObjectID} }",
"itsiDrilldownWeb":"Open Alert in Solarwinds",
"solarwinds_object_id": "${N=Alerting;M=AlertObjectID}",
"id": "${N=Alerting;M=AlertDefID}",
"subcomponent": "${N=SwisEntity;M=IP_Address}",
"nodename": "${NodeName}",
"vendor_region": "${N=SwisEntity;M=Location}"
}}
  11. Enter application/json as the content type.
  12. In the Authentication section, select Token. Set the fields to the following values:
    • Header name: Authorization
    • Header Value: Splunk <HEC Token>
  13. Select Save Changes.

Test Solarwinds alert

  1. On the Trigger Actions section, select the button under the Simulate column and select an alert to simulate. A success message confirms that the integration was properly set up.
  2. On the Search page in Splunk, you should begin to see data after running a search with your webhook as the source. For example:
    CODE 
    index=main sourcetype="solarwinds:alert:hec"
    .