DX Infrastructure Manager

Expand all | Collapse all

Integration with Splunk?

  • 1.  Integration with Splunk?

    Posted 06-07-2011 11:01 AM

    I have a prospect that uses Splunk for RCA - apparently it has the ability to search a lot of data (logs, databases, etc.) very quickly. Their preferred method of integration is via Syslog events. So, two questions:


    1. Has anyone integrated Nimsoft alarms into Splunk before?

    2. Is anyone aware of a method to generate a Syslog format event from a Nimsoft alarm?




  • 2.  Re: Integration with Splunk?

    Posted 06-08-2011 07:35 PM

    Well, I've worked out a way to get alarms into syslog. I deployed a copy of nas to a linux server and set up an auto-operator profile that invokes a LUA script that calls the logger command. I could have done it directly from the AO profile command option but I wanted to have a bit more control over the syslog level constants.


    Still interested to know if anyone has done integration with Splunk.



  • 3.  Re: Integration with Splunk?

    Posted 06-08-2011 07:39 PM



    I have not done integration with Splunk before, but I was curious if you considered using the sysloggtw probe to send the alarms into Splunk? That might not meet your needs in this particular case, but it might be a simpler out-of-the-box solution if it would do what you need.



  • 4.  Re: Integration with Splunk?

    Posted 06-08-2011 07:55 PM

    Unfortunately sysloggtw can only receive syslog events, generate a Nimsoft alarm (or queue message) and then forward those syslog events on to another syslog receiver - it can't send a syslog event from a Nimsoft alarm.



  • 5.  Re: Integration with Splunk?

    Posted 06-08-2011 08:24 PM

    Actually it can generate syslog messages too. From the release note:


    The sysloggtw is also capable of receiving Nimsoft alarm messages from e.g. the NAS auto-operator that will be converted to a syslog message and passed onto remote syslog daemons.

  • 6.  Re: Integration with Splunk?

    Posted 06-08-2011 11:11 PM

    Thanks Kieth.

    I've seen that and it's also mentioned in the help file but I cant find any way of actually configuring it to subscribe to alarm messages or how to code a rule in the NAS AO to send alarms to it.


    Has anyone done this configuration and can give me the secret?




  • 7.  Re: Integration with Splunk?

    Posted 06-08-2011 11:54 PM

    I believe that sysloggtw will look for and attach to an attach queue called "SYSLOG-OUT"  so you can publish to an abitrary subject like 'myalarms' and create an attach queue named "SYSLOG-OUT" which subscribes to 'myalarms'.


    (All from memory which may be rusty.)



  • 8.  Re: Integration with Splunk?

    Posted 06-09-2011 12:15 AM

    Okay, you cannot quote me on this, but I think the sysloggtw probe will attach to a queue named SYSLOG-OUT on the hub if it exists. If it does not exist, I think the probe subscribes to messages with a subject of SYSLOG-OUT. Check the subscribers on the hub and see if you can see the sysloggtw probe subscribing. I am not sure if you have to enable something to make that happen or not.



  • 9.  Re: Integration with Splunk?

    Posted 06-09-2011 12:16 AM

    Paul is quicker on the trigger... :smileyhappy:

  • 10.  Re: Integration with Splunk?

    Posted 06-09-2011 11:05 AM

    In fact I cant give the prize to either of you.

    The queue has to be called sysloggtw and according to case 19662 (https://na4.salesforce.com/50060000004qsBo?srPos=11&srKp=500) the message subject has to be SYSLOG-OUT. So you were both close but no cigar :-)


    Thanks anyway for leading me in the right direction.



  • 11.  Re: Integration with Splunk?

    Posted 02-20-2017 10:32 AM

    Hi Gentleman,


    I was wondering if anyone ever found a solution to this, or happen to make the sysloggtw work and send alarms into splunk? I am now considering the value of this and if I can make this work.




  • 12.  Re: Integration with Splunk?

    Broadcom Employee
    Posted 02-23-2017 05:26 AM

    Hi Bob,


    to add a different perspective to this thread. Are you aware of CA UIM Log Analytics?

    CA UIM Log Analytics - YouTube 


    This new feature is made of some probes that can collect data from logs and forward alarms/events to other solutions:

    log_monitoring_service (Log Monitoring Service - Pre-Release - CA Unified Infrastructure Management Probes - CA Technolo… 


    it is a great feature and it can add a bunch of value for log analysis and integration with CA Agile Ops Tools and 3rd party.