What is Splunk?
Splunk is a big data tool that captures, stores and correlates data in real-time and in a form that you can search for specific pieces of that data. It also generates everything from dashboards, various visual outputs, and alerts. Given the high volume of data that Splunk takes in, a critical piece of the tool it’s analyzation capabilities and ability to set up Splunk alerts, which will help you monitor events in real-time as they happen.
Integrating Splunk with ECM
Splunk alerts can be forwarded to ECM via webhooks provided by Splunk itself. By setting up a webhook, each time an alert fires, the ECM webhook action triggers, forwarding the Splunk alert data to ECM. Alerts can be sent to ECM via 3 endpoints:
- ECM Event REST API
- ECM Event SOAP API
- ActiveMQ + ECM ActiveMQ Connector
Setting up the ECM webhook involves replicating the default webhook app action provided by Splunk and creating a custom action. All Splunk apps typically reside in [SPLUNK directory]/etc/apps. The action’s script is then modified to include the customized event information with the mandatory event tokens required by ECM. The newly created action is then configured via the Splunk UI with the URL referencing the ECM API of your choice.