SolarWinds integration for Splunk On-Call 🔗
Integrate SolarWinds Orion alerts to Splunk On-Call using the SolarWinds API URL endpoint.
Requirements 🔗
SolarWinds Orion NPM is required for the integration
SAM is required for the acknowledge-back component
Configure in Splunk On-Call 🔗
In your account, go to Integrations then SolarWinds.
Activate the integration.
Copy the Service API Endpoint to use in later steps.
Configure in SolarWinds 🔗
Go to Alerts & Activity then Alerts then select Manage Alerts to go to the Alert Manager.
Select Add New Alert
Name the alert “Send Alert to Splunk On-call”.
Configure your trigger, reset, and time-of-day conditions.
On the Trigger Actions tab, select Add Action.
Select Send a Get or Post a URL to a Web Server and select Configure Action.
Name your action “Critical to Splunk On-Call”.
Select Use HTTP/S POST and enter your Splunk On-Call SolarWinds Service API Endpoint. Replace the trailing
$routing_key
with the actual routing key you intend to use for the alert. For more information on routing keys, see Create Routing Keys in Splunk On-Call.In Body to POST, copy and paste an applicable Trigger Action payload from the example payloads. See Example body payloads.
Set Content Type to
application/json
.Set Authentication to
None
.Configure the rest of the settings as needed and save your changes.
Select Next to open the Reset Action tab.
Select Add Action.
In Body to POST copy and paste the corresponding Reset Action payload from the example payloads. See Example body payloads.
Select Add Action.
Select:guilabel:Next through the Summary tab, review, then Submit.
Alert Splunk On-Call for multiple actions 🔗
Go to Alerts & Activity then Alerts then select Manage Alerts to go to the Alert Manager.
Select the box next to the newly-created “Send Alert to Splunk On-Call” alert and select Assign Action.
Assign your trigger and reset actions, then select Assign.
Activate the Splunk On-Call acknowledge back 🔗
This acknowledge back is a command poll against the Splunk On-Call public API, configured in SolarWinds as an Application Manager. You have to create a new user and node in SolarWinds.
Go to Main Settings & Administration in SolarWinds.
Go to Product Specific Settings then SAM Settings.
Go to Application Monitors then Manage Application Monitors then Application Monitor Templates.
- Import the VictorOps Ack-Back.apm-template and replace the script with the SolarWinds-ack-back-v2.1.txt.
From the Main Settings & Administration section in SolarWinds, go to Product Specific Settings then SAM Settings
Go to Application Monitors then Manage Application Monitors.
Select VictorOps Ack-Back and select Edit Properties. The Polling Frequency is set to 60seconds, which means SolarWinds command-polls Splunk On-Call every 60 seconds for new acknowledgement.
Expand the component Ack-Back Get Requests.
Change the Credential for Monitoring to the SolarWinds API User.
Review the Script Body to confirm it includes the v2 version of the ack-back script.
- Update the PowerShell script with your Splunk On-Call API values and SolarWinds primary server name. You can find the Splunk On-Call API values from your Splunk On-Call under Settings then API. Near the top of the PowerShell script replace everything between the quotes with the correct information for the following variables:
#Victor Ops Company ID
$API_ID="<Your API ID>"
#Victor Ops API Key
$ApiKey="<Your API Key>"
#Set to your SolarWinds Primary Application Server
$SolarWindsServer="<Your Primary SolarWinds Server Name>"
Select Submit.
Create a limited-rights user for SolarWinds alert management 🔗
Go to Settings then All Settings to reach the Main Settings & Administration section in SolarWinds.
Go to User Accounts then Manage Accounts.
Select Add New Account.
Select Orion individual account.
Select Next.
In the User Name field enter “solarwindsapi”.
Enter a password.
Select Next.
In the Define Settings section, scroll to Alerts.
In Allow Alert Management Rights select Yes.
Select Submit.
Add the limited-rights user to the SAM credential library 🔗
From the Main Settings & Administration section in SolarWinds, go to Product Specific Settings then SAM Settings.
Go to Global SAM Settings then Credentials Library.
Add the limited user account. For the credential name use SolarWinds API User.
Create an external node for VictorOps.com 🔗
Go to Settings then Manage Nodes.
Add a node.
For the node name enter “victorops.com”.
Assign the Splunk On-Call acknowledge back application templates 🔗
From the Main Settings & Administration section in SolarWinds, go to Product Specific Settings then SAM Settings.
Go to Application Monitors then Manage Application Monitors.
Select Application Monitor Templates.
Select VictorOps Ack-Back then select Assign to Node.
Select the “victorops.com” node and select the green arrow to add it to Selected Nodes.
Select Next.
Assign the SolarWinds API User credentials.
Select Assign Application Monitors.
Example body payloads 🔗
The following template payloads contain the required fields, you can add fields as needed.
The backslash \
character can’t be used in the HTTP post. Instead use an SQL replace function in the SolarWinds Alert:
SQL: SELECT REPLACE (''‘${Caption}''‘,'\‘,' ')}
Node is down 🔗
Trigger action 🔗
{
"message_type":"CRITICAL",
"monitor_name":"SolarWinds",
"monitoring_tool":"SolarWinds",
"alert_rule":"${N=Alerting;M=AlertName}",
"state_message":"${NodeName} is ${Status}",
"entity_display_name":"${NodeName} is ${Status}",
"entity_id":"${N=Alerting;M=AlertObjectID}",
"host_name":"${NodeName}",
"ip_address":"${Node.IP_Address}"
}
Reset action 🔗
{
"message_type":"RECOVERY",
"monitor_name":"SolarWinds",
"monitoring_tool":"SolarWinds",
"alert_rule":"${N=Alerting;M=AlertName}",
"state_message":"${NodeName} is ${Status}",
"entity_display_name":"${NodeName} is ${Status}",
"entity_id":"${N=Alerting;M=AlertObjectID}",
"host_name":"${NodeName}",
"ip_address":"${Node.IP_Address}"
}
Volume space alert 🔗
Trigger action 🔗
{
"alert_rule":"${N=Alerting;M=AlertName}",
"entity_display_name":"${NodeName} ${SQL: SELECT REPLACE ('''${Caption}''','\',' ')} has ${VolumeSpaceAvailable} free",
"entity_id":"${N=Alerting;M=AlertObjectID}",
"host_name":"${NodeName}",
"ip_address":"${Node.IP_Address}",
"message_type":"CRITICAL",
"monitor_name":"SolarWinds",
"monitoring_tool":"SolarWinds",
"state_message":"${NodeName} ${SQL: SELECT REPLACE ('''${Caption}''','\',' ')} has ${VolumeSpaceAvailable} free"
}
Reset action 🔗
{
"alert_rule":"${N=Alerting;M=AlertName}",
"entity_display_name":"${NodeName} ${SQL: SELECT REPLACE ('''${Caption}''','\',' ')} has ${VolumeSpaceAvailable} free",
"entity_id":"${N=Alerting;M=AlertObjectID}",
"host_name":"${NodeName}",
"ip_address":"${Node.IP_Address}",
"message_type":"RECOVERY",
"monitor_name":"SolarWinds",
"monitoring_tool":"SolarWinds",
"state_message":"${NodeName} ${SQL: SELECT REPLACE ('''${Caption}''','\',' ')} has ${VolumeSpaceAvailable} free"
}
Component-based alert 🔗
Trigger action 🔗
{
"message_type":"CRITICAL",
"monitor_name":"SolarWinds",
"monitoring_tool":"SolarWinds",
"alert_rule":"${N=Alerting;M=AlertName}",
"state_message":"${NodeName} ${N=SwisEntity;M=ComponentAlert.ComponentName} is ${N=SwisEntity;M=Status;F=Status}",
"entity_display_name":"${NodeName} ${N=SwisEntity;M=ComponentAlert.ComponentName} is ${N=SwisEntity;M=Status;F=Status}",
"entity_id":"${N=Alerting;M=AlertObjectID}",
"host_name":"${NodeName}",
"ip_address":"${Node.IP_Address}"
}
Reset action 🔗
{
"message_type":"RECOVERY",
"monitor_name":"SolarWinds",
"monitoring_tool":"SolarWinds",
"alert_rule":"${N=Alerting;M=AlertName}",
"state_message":"${NodeName} ${N=SwisEntity;M=ComponentAlert.ComponentName} is ${N=SwisEntity;M=Status;F=Status}",
"entity_display_name":"${NodeName} ${N=SwisEntity;M=ComponentAlert.ComponentName} is ${N=SwisEntity;M=Status;F=Status}",
"entity_id":"${N=Alerting;M=AlertObjectID}",
"host_name":"${NodeName}",
"ip_address":"${Node.IP_Address}"
}