SolarWinds integration for Splunk On-Call
Configure the SolarWinds integration for Splunk On-Call.
Integrate SolarWinds Orion alerts to Splunk On-Call using the SolarWinds API URL endpoint.
Requirements
-
SolarWinds Orion NPM is required for the integration
-
SAM is required for the acknowledge-back component
Configure in Splunk On-Call
-
In your account, go to Integrations then SolarWinds.
-
Activate the integration.
-
Copy the Service API Endpoint to use in later steps.
Configure in SolarWinds
-
Go to Alerts & Activity then Alerts then select Manage Alerts to go to the Alert Manager.
-
Select Add New Alert
-
Name the alert "Send Alert to Splunk On-call".
-
Configure your trigger, reset, and time-of-day conditions.
-
On the Trigger Actions tab, select Add Action.
-
Select Send a Get or Post a URL to a Web Server and select Configure Action.
-
Name your action "Critical to Splunk On-Call".
-
Select Use HTTP/S POST and enter your Splunk On-Call SolarWinds Service API Endpoint. Replace the trailing
$routing_keywith the actual routing key you intend to use for the alert. For more information on routing keys, see Create Routing Keys in Splunk On-Call. -
In Body to POST, copy and paste an applicable Trigger Action payload from the example payloads. See Example body payloads.
-
Set Content Type to
application/json. -
Set Authentication to
None. -
Configure the rest of the settings as needed and save your changes.
-
Select Next to open the Reset Action tab.
-
Select Add Action.
-
In Body to POST copy and paste the corresponding Reset Action payload from the example payloads. See Example body payloads.
-
Select Add Action.
-
Select Next through the Summary tab, review, then Submit.
Alert Splunk On-Call for multiple actions
-
Go to Alerts & Activity then Alerts then select Manage Alerts to go to the Alert Manager.
-
Select the box next to the newly-created "Send Alert to Splunk On-Call" alert and select Assign Action.
-
Assign your trigger and reset actions, then select Assign.
Activate the Splunk On-Call acknowledge back
This acknowledge back is a command poll against the Splunk On-Call public API, configured in SolarWinds as an Application Manager. You have to create a new user and node in SolarWinds.
-
Go to Main Settings & Administration in SolarWinds.
-
Go to Product Specific Settings then SAM Settings.
-
Go to Application Monitors then Manage Application Monitors then Application Monitor Templates.
- Import the VictorOps Ack-Back.apm-template and replace the script with the SolarWinds-ack-back-v2.1.txt.
-
From the Main Settings & Administration section in SolarWinds, go to Product Specific Settings then SAM Settings
-
Go to Application Monitors then Manage Application Monitors.
-
Select VictorOps Ack-Back and select Edit Properties. The Polling Frequency is set to 60seconds, which means SolarWinds command-polls Splunk On-Call every 60 seconds for new acknowledgement.
-
Expand the component Ack-Back Get Requests.
-
Change the Credential for Monitoring to the SolarWinds API User.
-
Review the Script Body to confirm it includes the v2 version of the ack-back script.
- Update the PowerShell script with your Splunk On-Call API values and SolarWinds primary server name. You can find the Splunk On-Call API values from your Splunk On-Call under Settings then API. Near the top of the PowerShell script replace everything between the quotes with the correct information for the following variables:
-
#Victor Ops Company ID -
$API_ID="<Your API ID>" -
#Victor Ops API Key -
$ApiKey="<Your API Key>" -
#Set to your SolarWinds Primary Application Server -
$SolarWindsServer="<Your Primary SolarWinds Server Name>"
-
-
Select Submit.
Create a limited-rights user for SolarWinds alert management
-
Go to Settings then All Settings to reach the Main Settings & Administration section in SolarWinds.
-
Go to User Accounts then Manage Accounts.
-
Select Add New Account.
-
Select Orion individual account.
-
Select Next.
-
In the User Name field enter "solarwindsapi".
-
Enter a password.
-
Select Next.
-
In the Define Settings section, scroll to Alerts.
-
In Allow Alert Management Rights select Yes.
-
Select Submit.
Add the limited-rights user to the SAM credential library
-
From the Main Settings & Administration section in SolarWinds, go to Product Specific Settings then SAM Settings.
-
Go to Global SAM Settings then Credentials Library.
-
Add the limited user account. For the credential name use SolarWinds API User.
Create an external node for VictorOps.com
-
Go to Settings then Manage Nodes.
-
Add a node.
-
For the node name enter "victorops.com".
Assign the Splunk On-Call acknowledge back application templates
-
From the Main Settings & Administration section in SolarWinds, go to Product Specific Settings then SAM Settings.
-
Go to Application Monitors then Manage Application Monitors.
-
Select Application Monitor Templates.
-
Select VictorOps Ack-Back then select Assign to Node.
-
Select the "victorops.com" node and select the green arrow to add it to Selected Nodes.
-
Select Next.
-
Assign the SolarWinds API User credentials.
-
Select Assign Application Monitors.
Example body payloads
The following template payloads contain the required fields, you can add fields as needed.
The backslash \ character can’t be used in the HTTP post. Instead use an SQL replace function in the SolarWinds Alert:
SQL: SELECT REPLACE (''‘${Caption}''‘,'\‘,' ')}Node is down
Trigger action
{
"message_type":"CRITICAL",
"monitor_name":"SolarWinds",
"monitoring_tool":"SolarWinds",
"alert_rule":"${N=Alerting;M=AlertName}",
"state_message":"${NodeName} is ${Status}",
"entity_display_name":"${NodeName} is ${Status}",
"entity_id":"${N=Alerting;M=AlertObjectID}",
"host_name":"${NodeName}",
"ip_address":"${Node.IP_Address}"
}Reset action
{
"message_type":"RECOVERY",
"monitor_name":"SolarWinds",
"monitoring_tool":"SolarWinds",
"alert_rule":"${N=Alerting;M=AlertName}",
"state_message":"${NodeName} is ${Status}",
"entity_display_name":"${NodeName} is ${Status}",
"entity_id":"${N=Alerting;M=AlertObjectID}",
"host_name":"${NodeName}",
"ip_address":"${Node.IP_Address}"
}Volume space alert
Trigger action
{
"alert_rule":"${N=Alerting;M=AlertName}",
"entity_display_name":"${NodeName} ${SQL: SELECT REPLACE ('''${Caption}''','\',' ')} has ${VolumeSpaceAvailable} free",
"entity_id":"${N=Alerting;M=AlertObjectID}",
"host_name":"${NodeName}",
"ip_address":"${Node.IP_Address}",
"message_type":"CRITICAL",
"monitor_name":"SolarWinds",
"monitoring_tool":"SolarWinds",
"state_message":"${NodeName} ${SQL: SELECT REPLACE ('''${Caption}''','\',' ')} has ${VolumeSpaceAvailable} free"
}Reset action
{
"alert_rule":"${N=Alerting;M=AlertName}",
"entity_display_name":"${NodeName} ${SQL: SELECT REPLACE ('''${Caption}''','\',' ')} has ${VolumeSpaceAvailable} free",
"entity_id":"${N=Alerting;M=AlertObjectID}",
"host_name":"${NodeName}",
"ip_address":"${Node.IP_Address}",
"message_type":"RECOVERY",
"monitor_name":"SolarWinds",
"monitoring_tool":"SolarWinds",
"state_message":"${NodeName} ${SQL: SELECT REPLACE ('''${Caption}''','\',' ')} has ${VolumeSpaceAvailable} free"
}Component-based alert
Trigger action
{
"message_type":"CRITICAL",
"monitor_name":"SolarWinds",
"monitoring_tool":"SolarWinds",
"alert_rule":"${N=Alerting;M=AlertName}",
"state_message":"${NodeName} ${N=SwisEntity;M=ComponentAlert.ComponentName} is ${N=SwisEntity;M=Status;F=Status}",
"entity_display_name":"${NodeName} ${N=SwisEntity;M=ComponentAlert.ComponentName} is ${N=SwisEntity;M=Status;F=Status}",
"entity_id":"${N=Alerting;M=AlertObjectID}",
"host_name":"${NodeName}",
"ip_address":"${Node.IP_Address}"
}Reset action
{
"message_type":"RECOVERY",
"monitor_name":"SolarWinds",
"monitoring_tool":"SolarWinds",
"alert_rule":"${N=Alerting;M=AlertName}",
"state_message":"${NodeName} ${N=SwisEntity;M=ComponentAlert.ComponentName} is ${N=SwisEntity;M=Status;F=Status}",
"entity_display_name":"${NodeName} ${N=SwisEntity;M=ComponentAlert.ComponentName} is ${N=SwisEntity;M=Status;F=Status}",
"entity_id":"${N=Alerting;M=AlertObjectID}",
"host_name":"${NodeName}",
"ip_address":"${Node.IP_Address}"
}