1. Home
  2. Integrations
  3. Splunking VictorOps Data

Splunking VictorOps Data

These reports and dashboards can provide real time visibility across multiple VictorOps instances and offer highly granular and customizable reporting.

In order to leverage this capability data must be sent to Splunk using the instructions provided below.

Ingesting Data

VictorOps will send data to Splunk using an HTTP Endpoint Collector (HEC) depending upon your deployment a heavy forwarder may also be needed. To ensure communication from VictorOps to Splunk, VictorOps’ range of IP addresses should be whitelisted.

Creating the Webhooks

Four outgoing webhooks should be created, one for each event type. See below for each configuration. While the url will be the same for each webhook, keep in mind that the url will vary with different deployments of Splunk.

Splunk Version Url
On-Prem Instance https://<host>:8088/services/collector
Self-Service Splunk Cloud Instance https://input-<host>:8088/services/collector
All Other Splunk Cloud Instances https://http-inputs-<host>:8088/services/collector

The header will be the same for all webhooks and Splunk deployments. Be sure to replace <token> with the appropriate value for the HEC.

Key Value
Authorization Splunk <token>

The Content Type field should be set to application/json

The body of each webhook will vary according to the event-type. Be sure to replace your org slug (organization id found in the url of victorops, e.g. https://portal.victorops.com/dash/<org_slug>/outgoing-webhooks) in all instance of <org_slug>.


Event Type: All Incidents

Body:

{
 "sourcetype": "_json",
 "event":
 {
 "slug": "<org_slug>",
 "link": "https://portal.victorops.com/client/<org_slug>/popoutIncident?incidentName=${{STATE.INCIDENT_NAME}}",
 "type": "incident",
 "alertService": "${{ALERT.service}}",
 "hostName": "${{ALERT.host_name}}",
 "service": "${{ALERT.service}}",
 "ENTITY_TYPE": "${{INCIDENT.ENTITY_TYPE}}",
 "SERVICESTATE": "${{ALERT.SERVICESTATE}}",
 "VO_ALERT_RCV_TIME": "${{ALERT.VO_ALERT_RCV_TIME}}",
 "alert_url": "${{ALERT.alert_url}}",
 "entity_display_name": "${{ALERT.entity_display_name}}",
 "entity_state": "${{ALERT.entity_state}}",
 "message_type": "${{ALERT.message_type}}",
 "monitor_name": "${{ALERT.monitor_name}}",
 "monitoring_tool": "${{ALERT.monitoring_tool}}",
 "routing_key": "${{ALERT.routing_key}}",
 "alert_timestamp": "${{ALERT.timestamp}}",
 "ACK_MSG": "${{STATE.ACK_MSG}}",
 "ACK_USER": "${{STATE.ACK_USER}}",
 "ACK_TIMESTAMP": "${{STATE.ACK_TIMESTAMP}}",
 "ALERT_COUNT": "${{STATE.ALERT_COUNT}}",
 "CURRENT_ALERT_PHASE": "${{STATE.CURRENT_ALERT_PHASE}}",
 "CURRENT_STATE": "${{STATE.CURRENT_STATE}}",
 "ENTITY_ID": "${{STATE.ENTITY_ID}}",
 "IncidentNum": "${{STATE.INCIDENT_NAME}}",
 "INCIDENT_TIMESTAMP": "${{STATE.INCIDENT_TIMESTAMP}}",
 "LAST_TIMESTAMP": "${{STATE.LAST_TIMESTAMP}}",
 "MONITOR_TYPE": "${{STATE.MONITOR_TYPE}}",
 "stateService": "${{STATE.SERVICE}}",
 "alert_uuid": "${{ALERT.VO_UUID}}"
 }
}

Event Type: Any-Paging

Body:

{
 "sourcetype": "_json",
 "event":{ 
 "slug":"<org_slug>",
 "type":"paging",
 "user": "${{PAGE.USER_ID}}",
 "started":"${{PAGE.STARTED}}",
 "page_id": "${{PAGE.ID}}",
 "attempt_num": "${{PAGE.ATTEMPT_NUMBER}}",
 "method_type": "${{PAGE.METHODS.0.TYPE}}",
 "method_label": "${{PAGE.METHODS.0.LABEL}}",
 "cancellation": "${{PAGE.CANCELLATION}}"
 }
}

Event-type: Any-On-Call

Body:

{
 "sourcetype": "_json",
 "event":{ 
 "slug":"<org_slug>",
 "type":"oncall",
 "user":"${{ONCALL.USER_ID}}",
 "state":"${{ONCALL.STATE}}",
 "team":"${{ONCALL.TEAM_NAME}}",
 "group":"${{ONCALL.GROUP_ID}}",
 }
}

Event-type: All-Chats

Body:

{
 "sourcetype": "_json",
 "event":{ 
 "slug":"<org_slug>",
 "type":"chat",
 "user": "${{CHAT.USER_ID}}",
 "text": "${{CHAT.TEXT}}",
 "is_robot": "${{CHAT.IS_ROBOT}}"
 }
}
Updated on February 5, 2020

Was this article helpful?

Related Articles