icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Splunk Add-on For Zenoss
SHA256 checksum (splunk-add-on-for-zenoss_202.tgz) 4c51248872b5ab7fe3aca8127d4d12624d12ed086e27eeb4b01c62787255ca1a SHA256 checksum (splunk-add-on-for-zenoss_201.tgz) c96b94c26e28aee1f049c866e1a3c3c581964f276f1015523d13ed34967ee420 SHA256 checksum (splunk-add-on-for-zenoss_105.tgz) dc2e9b8b6eff6da88d5a96226ce291fc1b111f5bab7e331234fd1d3026ae1387 SHA256 checksum (splunk-add-on-for-zenoss_104.tgz) e0aff209da71269df67e88c25efc08a3955ca288a5bdee8345ff769fd21e0957 SHA256 checksum (splunk-add-on-for-zenoss_103.tgz) 42d60babfc655249e4c5ff4f979b9cab3cb372ae1b62f88cd6a418f37d5ad583 SHA256 checksum (splunk-add-on-for-zenoss_102.tgz) 558eb33e53c42cdbcf81ca768fc2cbc5b5a94533d52892610bfc5ab73e004945 SHA256 checksum (splunk-add-on-for-zenoss_101.tgz) edbb66167dee5ccce8c5a3dcb14ee529fce11a31cf1bc4619d8d1231c05a291f SHA256 checksum (splunk-add-on-for-zenoss_10.tgz) 2984ee7d28c64fb3ceda05890e9e177e086a89f55eecb0a17f7056fa6444e8c2
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

Splunk Add-on For Zenoss

Splunk AppInspect Passed
Admins: Please read about Splunk Enterprise 8.0 and the Python 2.7 end-of-life changes and impact on apps and upgradeshere.
Use the Splunk add-on for Zenoss to enhance operational visibility. Correlate Zenoss events with OS or application logs to gain deeper operational insights. Use the provided alert actions script to create events in Zenoss from Splunk alerts.

New in 2.0

The 2.0 release brings the Zenoss Event custom alert action and the credential management dashboard.


You must be in the admin role or have the admin_all_objects capability enabled to use the Credential Management dashboard and schedule the Zenoss Event custom alert action.

Zenoss Compatibility

This has been tested against and is known to be compatible with Zenoss 4.x and 5.x.

Configure Modular Input

Settings -> Data inputs -> Zenoss

Username: zenoss username
password: zenoss password
Zenoss Web Interface: Web interface to Zenoss server; e.g.http://zenoss-server:8080 or https://zenoss5.myhost.mydomain for Zenoss 5.x connections.
Device Name (Optional): Filter to only pull from a specific device. Defaults to all devices
Disable SSL Certificate Verification: Zenoss 5.x installs - check to disable SSL verification. WARNING This is a potentially dangerous option.
CA File: Optional: Zenoss 5.x installs - specify certificate authority file in PEM format for certificates signed by untrusted root authority
Timezone (Optional): Timezone of Zenoss server - see http://en.wikipedia.org/wiki/List_of_tz_database_time_zones
Archive Threshold: Zenoss 'Event Archive Threshold (minutes)' setting. Interval to read archive table. Leave blank for Zenoss default of 4320.
Event Checkpoint Removal: Zenoss 'Delete Archived Events Older Than (days)' setting. Used to keep checkpoint file clean. Leave blank for Zenoss default of 90.
Start Date (Optional): Specify a starting date to pull events from or leave blank for ALL events. Ex: 2015-03-16T00:00:00
Index Closed Events (Optional): Index eventState "Closed"
Index Cleared Events (Optional): Index eventState "Cleared"
Index Archived Events (Optional): Index events form the Archive table
Index Suppressed Events (Optional): Index eventState "Suppressed"
Index Repeat Events (Optional): Index repeat events. Index an event every time the count increments for an evid. This will result in the same event getting indexed with a new latestTime timestamp. This is useful for fine grained analytics on events. This setting could lead to an increase in indexing volume depending on your environment.
Sourcetype: Set to Manual and leave blank to set to 'zenoss-events'

More Settings

Interval: Defaults to 60 seconds
Host: specify zenoss hostname
Index: specify zenoss index

Credential Management

Use the Credential Management dashboard to securely store credentials for your Zenoss server instances. The dashboard is a CRUD interface to the storage/passwords REST endpoint. You can create, update, delete and reveal the password for any credentials stored. Right click on any row to reveal a context menu for the update and delete actions. You can also leverage the realm field to describe a connection; e.g. - prod or dev.

Configuring Zenoss Event Custom Alert Action

1) Create credentials for your Zenoss instance using the Credential Management dashboard. Credentials will be securely stored in the storage/passwords REST endpoint and accessed by the Zenoss Event custom alert action. Please re-read the Requirements section before moving on.

2) Create a saved search that meets your criteria for creating an event. The alert script requires field/table output with the following names (case sensitive):

device OR host (REQUIRED) - device/host name
severity (REQUIRED) - severity of alert - "Critical" OR "Error" OR "Warning" OR "Info" OR "Debug" OR "Clear"
summary (REQUIRED) - Plain text summary of the event
component (OPTIONAL) - Component name
evclass (OPTIONAL) - Event class name
evclasskey (OPTIONAL) - Event class key

example search

index=oidemo sourcetype=access_combined | stats count(eval(status="404")) as web_error by host | eval severity=case(web_error > 100 AND web_error < 500, "Warning", web_error > 500 AND web_error < 1000, "Error", web_error > 1000, "Critical") | eval summary="Web 404 Error - greater than 1000 errors" | eval evclass="/Status/Web" | table host, severity, summary, evclass

3) Save the search as an Alert and schedule it to run per your desired frequency. Set to trigger for each result. Under Add Actions select Zenoss Event. Fill in the required fields. Reference the credential account and optionally the realm to authenticate with your Zenoss instance. An event for each row in the table will be generated in Zenoss when the alert is triggered.


View the custom alert aciton log located at $SPLUNK_HOME/var/log/splunk/zenoss_event_modalert.log to troubleshoot issues with the Zenoss Event custom alert action.

Data Model

The app ships with a Data Model that comes unaccelerated out of the box. To acclerate the data model go to 'Settings -> Data models'. Under 'Actions' for the Events data model, select 'Edit -> Edit Acceleration' and select the summary range that fits your needs.

CIM Compliant

This app is CIM compliant and maps to the Alerts data model.

Release Notes

Version 2.0.2
Feb. 23, 2018

* Added README.md

Version 2.0.1
Feb. 23, 2018

* New custom alert action Zenoss Event replaces old alert action script
* New Credential Management dashboard CRUD interface to storage/passwords REST endpoint for storing credentials used by custom alert action

Version 1.0.5
May 26, 2017

* Added support for Zenoss 5.x

Version 1.0.4
April 11, 2017

* Updated with missing password update script
* Removed default indexes.conf per modular input development best practices

Version 1.0.3
Aug. 27, 2015

Re-factored collection mechanism to page through and process 1000 events at a time. Zenoss JSON API only returns 1000 events even if limit > 1000 is given in API call.

Version 1.0.2
Aug. 6, 2015

Added check_for_updates = 1 in app.conf

Version 1.0.1
Aug. 5, 2015

* Modified to use Splunk Python SDK modular input support
* renamed CIM lookup from severity.csv to zenoss-severity.csv due to conflict with apps that bundle severity.csv

Version 1.0
June 15, 2015

* The modular input to collect data is Platform Independent.
* The alert action script to create events in Zenoss currently works in Linux. I will release an updated version that is compatible with Windows in the near future.


Subscribe Share

AppInspect Tooling

Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2020 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.