Splunk® IT Service Intelligence

Event Analytics Manual

Set up Solarwinds alerts in ITSI

Prerequisites

  • You must have Solarwinds installed. For more information, see the Solarwinds site.

Installation

  1. Select a Solarwinds product. For example, SolarWinds SAM.
  2. Download the setup file.
  3. Provision a Windows virtual machine.
  4. Run the setup exe file and follow the guided installation steps.
  5. Verify that Solarwinds is running by going to the Solarwinds Platform web console.
  6. Go to the web console and create a Solarwinds account, noting your username and password.

Configure Solarwinds

  1. Install the SolarWinds Add-on for Splunk.
  2. From the SolarWinds add-on, select the Configuration tab.
  3. Enter your Solarwinds username and password on the Account tab to authenticate the API.
  4. Enter the Solarwinds server and port in the "Add-on Settings" section.
  5. Change the port from 17778 to 17774.
  6. Select the Input tab.
  7. Add the Solarwinds Alerts input. Set the initial start time for the input in the format YYYY-MM-DD and hh:mm:ss.
  8. Verify that alerts are ingested into Solarwinds.

SolarWinds webhook setup

  1. Log in to the Solarwinds web console.
  2. From the navigation menu, select the Alerts & Activity page.
  3. Click on "Alert Manager."
  4. Create a new alert, or edit an existing alert on the page.
    • To create a new alert, select Add New Alert.
    • To edit an existing alert, select the alert from the list and select Edit.
  5. In the Trigger Actions section, select Add Action.
  6. Select Send a GET or POST Request to a Web Server from the list of action types.
  7. Enter the URL for your Splunk HTTP Event Collector (HEC) endpoint. This typically follows the format: http://<splunk-server>:8088/services/collector/event.
  8. Select Use HTTP/SPOST.
  9. Set the Body to POST to: 
    {
  "event": {
    "Description": "${N=Alerting;M=AlertDescription}",
    "Message": "Component \"${N=SwisEntity;M=ApplicationAlert.ApplicationName}\" is ${N=Alerting;M=Severity}",
    "Uri": "${N=NTA.Alerting;M=NTA.SummaryPageUrl;F=NTALast30MinutesFromTimeTriggeredFormatter}"
  },
  "sourcetype": "solarwinds:alerts"
}
  10. Enter application/json as the content type.
  11. In the Authentication section, select Token. Set the fields to the following values:
    • Header name: Authorization
    • Header Value: Splunk <HEC Token>
  12. Select Save Changes.

Test Solarwinds alert

  1. On the Trigger Actions section, select the button under the Simulate column and select an alert to simulate. A success message confirms that the integration was properly set up.
  2. On the Search page in Splunk, you should begin to see data after running a search with your webhook as the source. For example:

    index=main sourcetype=*solarwinds:alert*

    .
Last modified on 19 February, 2025
Set up Nagios alerts in ITSI   Set up Microsoft System Center Operations Manager alerts in ITSI

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.20.0

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters