Swimlane App for Splunk

Swimlane Splunk Addon Swimlane's Adaptive Response Action can create Swimlane cases pre-populated with Splunk alert and notable event data. Configuration You are able to send alert data to up to 3 separate Swimlane instances with each action. This is provided so you can conveniently push to produciton, staging, and development instances with one action. The global configuration is where you will define the connection info and credentials for your Swimlane instances. 1. In the top left corner of the Splunk interface, open the *app* dropdown menu and select the *Swimlane* app. 2. You will see the configuration page where you can define the host, username, and password for up to 3 Swimlane instances. Alert Configuration 1. Once you have created an alert, go to the alert page and click *Edit* next to the *Actions* field. 2. At the bottom of the window, select *Add Actions* -> *Push Alerts to Swimlane*, then fill out the fields appropriately. Setup instructions for `Custom Field Mappings` and `Automappings` are in the next section Mapping configuration For the initial setup, use `Automapping`. 1. In the Swimlane application, Create a JSON field with the *field key* `splunkrawjson` and a multi-line text field with the *field key* `splunkfieldlist`. These two fields can be used to see the data being pushed to Swimlane. 2. Trigger the alert so that the action runs, then check Swimlane to make sure records were created in the desired application. if no records were created, check the logs (described in the **Logging** section below) to debug. 3. Open one of the records that was created in Swimlane. The fields in `splunkfieldlist` are the fields that are available for mapping. You can use `splunkrawjson` to see the value each field contains. 4. For each field that you want to push to Swimlane, either use `Automappings` or `Custom Field Mappings` as described below. If you select to use `automapping`, Splunk fields will populate a Swimlane field with the same field key if it exists. This is the preferred method of mapping since you can still display the info however you want in Swimlane by setting the field display name. All Swimlane field types are supported and Splunk fields containing lists will be properly translated into list type fields in Swimlane. Logging To find logs in the Splunk search, use the following search string: index=_internal OR index=cim_modactions OR index=* source="*push_alerts_to_swimlane_modalert.log" To access the log file directly, it can be found at: {Splunk root folder}/var/log/splunk/push_alerts_to_swimlane_modalert.log If multiple executions happen concurrently, you can distinguish which log message belongs to which execution using the `pid` logged in each message General logs that Splunk generates can be found by going to *settings* -> *Alert actions*, then clicking on *View log events* for the *Push Events to Swimlane* action.

Built by David Pack

Latest Version 4.0.5

May 12, 2025

Release notes

Compatibility

Not Available

Platform Version: 9.4, 9.3, 9.2, 9.1, 9.0

CIM Version: 5.x, 4.x, 3.x

Rating

0

(0)

Log in to rate this app

Support

Developer Supported addon

Learn more

Swimlane Splunk Addon Swimlane's Adaptive Response Action can create Swimlane cases pre-populated with Splunk alert and notable event data. Configuration You are able to send alert data to up to 3 separate Swimlane instances with each action. This is provided so you can conveniently push to produciton, staging, and development instances with one action. The global configuration is where you will define the connection info and credentials for your Swimlane instances. 1. In the top left corner of the Splunk interface, open the *app* dropdown menu and select the *Swimlane* app. 2. You will see the configuration page where you can define the host, username, and password for up to 3 Swimlane instances. Alert Configuration 1. Once you have created an alert, go to the alert page and click *Edit* next to the *Actions* field. 2. At the bottom of the window, select *Add Actions* -> *Push Alerts to Swimlane*, then fill out the fields appropriately. Setup instructions for `Custom Field Mappings` and `Automappings` are in the next section Mapping configuration For the initial setup, use `Automapping`. 1. In the Swimlane application, Create a JSON field with the *field key* `splunkrawjson` and a multi-line text field with the *field key* `splunkfieldlist`. These two fields can be used to see the data being pushed to Swimlane. 2. Trigger the alert so that the action runs, then check Swimlane to make sure records were created in the desired application. if no records were created, check the logs (described in the **Logging** section below) to debug. 3. Open one of the records that was created in Swimlane. The fields in `splunkfieldlist` are the fields that are available for mapping. You can use `splunkrawjson` to see the value each field contains. 4. For each field that you want to push to Swimlane, either use `Automappings` or `Custom Field Mappings` as described below. If you select to use `automapping`, Splunk fields will populate a Swimlane field with the same field key if it exists. This is the preferred method of mapping since you can still display the info however you want in Swimlane by setting the field display name. All Swimlane field types are supported and Splunk fields containing lists will be properly translated into list type fields in Swimlane. Logging To find logs in the Splunk search, use the following search string: index=_internal OR index=cim_modactions OR index=* source="*push_alerts_to_swimlane_modalert.log" To access the log file directly, it can be found at: {Splunk root folder}/var/log/splunk/push_alerts_to_swimlane_modalert.log If multiple executions happen concurrently, you can distinguish which log message belongs to which execution using the `pid` logged in each message General logs that Splunk generates can be found by going to *settings* -> *Alert actions*, then clicking on *View log events* for the *Push Events to Swimlane* action.