icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Cisco ThousandEyes Alerting App for Splunk
SHA256 checksum (cisco-thousandeyes-alerting-app-for-splunk_101.tgz) 80a7eea70ce1123e4b08f16f4f78e6226362b74f753259ce94c379a7512a8583
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

splunk

Cisco ThousandEyes Alerting App for Splunk

This app is NOT supported by Splunk. Please read about what that means for you here.
Overview
Details
The Cisco ThousandEyes Alerting App for Splunk app has been developed in conjunction with Cisco by ECS and is part of the Cisco Service Assurance suite.

The Cisco ThousandEyes Alerting App for Splunk app has been written to index and process ThousandEyes global alerts that are sent to Splunk by the cloud based ThousandEyes console using Splunk HTTP Event Collector (HEC).

The app also indexes and processes SNMP trap data. If SNMP trap data is to be included, then an on-premises SNMP trap receiver will have to be configured with a Splunk Universal Forwarder installed and configured to send the data to Splunk.

Using the Splunk Add-on for ServiceNow, you can automatically forward the correlated ThousandEyes alerts and SNMP traps to a ServiceNow incident.

The Cisco ThousandEyes Alerting App for Splunk app includes dashboards and logic for correlating ThousandEyes alerts and SNMP traps and identifying the root cause. The correlated alerts and root cause information can be used to automatically populate ServiceNow incidents.

The Cisco ThousandEyes Alerting App for Splunk app contains four lookup files that are customer specific. These lookup files allow you to group alerts together and apply different weighting to each ThousandEyes test rule in order to identify the root cause of the issue that has triggered the alerts. SNMP traps can also be grouped together and weighting applied to identify the root cause of the issue based on the SNMP trap. Using the same group name for ThousandEyes alerts and SNMP traps allows them to be correlated, and the root cause determined by both the ThousandEyes alerts and SNMP traps (based on weighting).

The app also supports creating ServiceNow incidents and populating them with correlated alerts and SNMP traps, as well as the root cause (that is determined by the entries made to the lookup files). If ServiceNow integration is required, then the Splunk Add-on for ServiceNow must also be installed and configured.

Post installation documentation and guidelines on configuring the lookup files to define the groupings for ThousandEyes alerts and SNMP traps are available from the author.

Contact the author: splunkapp@ecs.co.uk

Topology and Setting up Splunk Environment

1) Install the main app (Cisco ThousandEyes Alerting App for Splunk).

2) Create the following indexes:
thousandeyes
thousandeyes_alert_status
thousandeyes_alertid_lookup
thousandeyes_incident_values_lookup
snmptrap
snmptrap_status

3) Configure a HTTP Event Collector (HEC) token on your Forwarder:
index: thousandeyes
sourcetype: thousandeyes:alerts

4) Configure the ThousandEyes console to send the ThousandEyes alerts to your Forwarder using the HEC token you created in Step 3. Verify that alerts are being received using the search: index=thousandeyes sourcetype=thousandeyes:alerts

5) Optional: Configure a SNMP trap receiver with a Splunk Universal Forwarder and forward the SNMP traps. Verify that the SNMP traps are being received using the search: index=snmptrap sourcetype=snmptrap

6) Optional: Install the Splunk Add-on for ServiceNow
Configure a ServiceNow user in Splunk called thousandeyes
Enable the incidents input (frequency: 30 seconds)

7) Configure the lookup files to map the ThousandEyes testIds to user defined test groups and to apply weighting and root cause information to ThousandEyes ruleIds.

8) Optional: Configure the SNMP trap lookup files to map source/destination IP addresses to test groups and to apply weighting and root cause information.

More details are available in the post-installation configuration documentation and test configuration guidelines available from the author.

Installation of Add-on
This Add-on app can be installed through UI using "Manage Apps" or extract zip file directly into /opt/splunk/etc/apps/ folder.

Release Notes

Version 1.0.1
Sept. 10, 2021
1
Install
7
Downloads
Share Subscribe LOGIN TO DOWNLOAD

Subscribe Share

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
Splunk, Splunk>,Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk Inc. in the United States and other countries. All other brand names,product names,or trademarks belong to their respective owners.