• Products
  • Get started
  • Documentation
  • Resources

Integrate with Splunk

 

The feature described in this article is currently rolling out to some Jira Service Management Cloud customers. It may not yet be visible or available on your site.

Splunk Logo

Splunk alerts can be used to monitor for and respond to specific events. Alerts use a saved search to look for events in real time or on a schedule. Alerts trigger when search results meet specific conditions. Alert actions can be used to respond when alerts trigger.

What does the integration offer?

Jira Service Management provides a two-way integration with Splunk. Splunk's Searching and Reporting app lets users search their data, create data models and pivots, save searches and pivots as reports, configure alerts, and create dashboards. Through Jira Service Management Alerts app, forward Splunk alerts to Jira Service Management. With the Splunk Integration, Jira Service Management acts as a dispatcher for these alerts, determines the right people to notify based on on-call schedules– notifies via email, text messages (SMS), phone calls, iOS & Android push notifications, and escalates alerts until the alert is acknowledged or closed. Through JEC (Jira Edge Connector) you can forward Jira Service Management alerts to Splunk as events for additional indexing and search.

How does the integration work?

Jira Service Management has a Splunk-specific alert app to send Splunk alerts to Jira Service Management. Jira Service Management also has a specific API for Splunk Integration, Splunk sends alerts through Jira Service Management Alerts app to Jira Service Management and Jira Service Management handles the automatic creation of alerts.

If Create Splunk Events for Jira Service Management Alerts is enabled, alert specific actions (Create Alert, Acknowledge Alert, and so on) will be sent to Splunk as events through JEC.

Set up the integration

Splunk is a integration. Setting it up involves the following steps:

  • Add a Splunk integration in Jira Service Management

  • Configure the integration in Splunk

Add a Splunk integration

If you're using the Free or Standard plan in Jira Service Management, you can only add this integration from your team’s operations page. To access the feature through Settings (gear icon) > Products (under JIRA SETTINGS) > OPERATIONS, you need to be on Premium or Enterprise plan.

Adding an integration from your team’s operations page makes your team the owner of the integration. This means Jira Service Management only assigns the alerts received through this integration to your team.

To add a Splunk integration in Jira Service Management, complete the following steps:

  1. Go to your team’s operations page.

  2. On the left navigation panel, select Integrations and then Add integration.

  3. Run a search and select “Splunk”.

  4. On the next screen, enter a name for the integration.

  5. Optional: Select a team in Assignee team if you want a specific team to receive alerts from the integration.

  6. Select Continue.
    The integration is saved at this point.

  7. Expand the Steps to configure the integration section and copy the API key.
    You will use this key while configuring the integration in Splunk later.

  8. Select Turn on integration.
    The rules you create for the integration will work only if you turn on the integration.

Configure the integration in Splunk

To configure the integration in Splunk, complete the following steps:

1. In Splunk, install the Jira Service Management App from Splunkbase.

2. After installation, navigate to "Apps" and select Set Up to configure the Jira Service Management App.

3. Paste the API key copied previously from Jira Service Management.

If using Splunk Cloud and need to update the API Key you've set in this step, file a Splunk support case to uninstall the app. Read more about uninstalling the app.

4. Run a search in Splunk to create an Alert.

5. Select Save As and select "Alert" from the dropdown list.

6. Populate alert title and specify conditions.

7. Select the +Add Actions button to access the dropdown list and select "Jira Service Management".

8. Select Save.

Integration via JEC

Use JEC (Jira Edge Connector) and the Splunk script to update alerts on Splunk. This enables deployment of your own scripts/ability to modify the ones provided and execute customized actions on Splunk. To use the Splunk integration package, complete the steps in the following sections.

Download and install the package

  1. Download the latest version of the Splunk package.

  2. Install the package

    1. For RedHat-based distributions

      Run following command : rpm -i jsm-splunk-<your_version>.rpm

    2. For Debian-based distributions

      Run following command : dpkg -i jsm-splunk-<your_version>.deb

    3. For Windows

      Unzip Jira Service Management integration zip file which contains JEC package into a directory (C:\jsm\jec is the preferred path). Read how to install JEC on Windows.

Read more about running JEC.

To execute actions in Splunk, JEC gets the configuration parameters from the configuration file. The configuration file can be found under /home/jsm/jec/conf/config.json and for Windows, at C:\jsm\jec\conf\config.json.

Configure the integration for JEC

To use JEC utility for your Splunk integration, Send via JEC in your integration settings. Configuration for Splunk is optional if you select send via JEC; you can configure them in your JEC config file.

Configure the integration for Splunk Cloud

If you are using Splunk Cloud, Jira Service Management can deliver events to your Splunk Cloud instance. DO NOT select Send Via JEC. Instead, enter your Splunk Cloud URL and Splunk Token in the respective fields. Enter Splunk Cloud Url along with port.

Configure in Splunk

  1. Log in to Splunk as an administrator.

  2. From the home page, select Add Data.

  3. From bottom of the page, select Monitor.

  4. From data input options, select HTTP Event Collector and give your new event collector a name.

  5. Complete rest of the steps without modification unless desired. In final step note the token value given by Splunk.

  6. To enable data input through HTTP, select Settings > Data Input from top bar, then navigate to HTTP Event Collector. Afterwards make sure All Tokens is set to enabled in Global Settings menu.

    Now that collector is configured, Splunk will create events whenever Jira Service Management issues alert related actions.

Configure JEC

To be able to create events in Splunk, JEC gets the configuration parameters from integration settings.

Configuration Parameter

Description

Location

Splunk URL

URL of your Splunk HTTP Event Collector Server including port. For ex: http://<splunk_server>:

/home/jsm/jec/conf/config.json

Splunk Token

Token of your Splunk HTTP Event Collector data input

/home/jsm/jec/conf/config.json

Verify SSL

The request to your Splunk Server might fail if the SSL certificate verification fails. You can choose to not to verify ssl cert, default is false

/home/jsm/jec/conf/config.json

Find out how to run JEC.

Sample payload sent from Splunk and dynamic properties in Jira Service Management

The result field of the content below differs according to the fields of the lines that match the search. That's why Jira Service Management provides common fields of the result object in available fields. Raw, Index, Serial, Source Type etc. are examples of the common fields.

We also added "Result Object" to the available fields, to make it possible to extract custom fields from the result object.

For example, to put the date_month field of result object to the alert: {{result.date_month}} solves the problem.

Create Alert payload

JSON

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 { "session_key": "r41vK7psTN9iIp1HQXqgNxTHPz2AW_Ee3ELbdYM4FBqiBbI7L6f82o6f6IENt6Q_Xdq2V4jBSkjkyIfXIm56xbbcFcpWlcJNB0ZUZaezsImsTQ2lGWH26yiZ8l854Or8SPETrWuVgTKVeC", "search_name": "fail", "results_link": "http://Tuba-MacBook-Pro.local:8000/app/search/search?q=%7Cloadjob%20rt_scheduler__admin__search__fail_at_1464802733_32.0%20%7C%20head%201%20%7C%20tail%201&earliest=0&latest=now", "app": "search", "sid": "rt_scheduler__admin__search__fail_at_1464802733_32.0", "configuration": { "api_url": "http://4kmm916oxm9m.runscope.net" }, "server_host": "Tuba-MacBook-Pro.local", "owner": "admin", "results_file": "/Applications/Splunk/var/run/splunk/dispatch/rt_scheduler__admin__search__fail_at_1464802733_32.0/per_result_alert/tmp_0.csv.gz", "server_uri": "https://127.0.0.1:8089", "result": { "date_month": "may", "index": "main", "_indextime": "1464802756", "date_minute": "15", "date_hour": "0", "splunk_server": "Tuba-MacBook-Pro.local", "date_mday": "11", "sourcetype": "secure", "source": "tutorialdata copy 2.zip:./www1/secure.log", "date_second": "2", "_serial": "0", "_sourcetype": "secure", "date_year": "2016", "eventtype": "", "_kv": "1", "timeendpos": "25", "timestartpos": "4", "linecount": "1", "date_zone": "local", "date_wday": "wednesday", "punct": "____::__[]:________...___", "_raw": "Thu May 11 2016 00:15:02 www1 sshd[4747]: Failed password for invalid user jabber from 118.142.68.222 port 3187 ssh2", "_eventtype_color": "", "_confstr": "source::tutorialdata copy 2.zip:./www1/secure.log|host::Tuba-MacBook-Pro.local|secure", "_time": "1462914902", "host": "Tuba-MacBook-Pro.local" } }

Sample payload sent to Splunk

JSON

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 { "alertDetails":{ }, "customerDomain":"jiraservicemannagement", "alertId":"2ce35c31-a8e1-4be5-a781-110564a45e75-1568102450408", "url":"http://localhost:8088", "type":"Splunk", "alert":{ "alertId":"2ce35c31-a8e1-4be5-a781-110564a45e75-1568102450408" }, "source":null, "token":"4c40855d-a361-4a9b-984f-0ab46c91a35f", "params":{ "alertDetails":{ }, "customerDomain":"jiraservicemannagement", "alertId":"2ce35c31-a8e1-4be5-a781-110564a45e75-1568102450408", "source":null, "url":"http://localhost:8088", "integrationName":"Splunk", "alert":{ "alertId":"2ce35c31-a8e1-4be5-a781-110564a45e75-1568102450408" }, "integrationId":"c345dce0-50e3-4498-9433-1fddd3f4f1fd", "token":"4c40855d-a361-4a9b-984f-0ab46c91a35f", "integrationType":"Splunk", "action":"Create", "mappedActionV2":{ "extraField":"", "name":"createEvent" }, "type":"Splunk", "customerId":"5035e5cd-4791-4995-9154-037027f8e0b6" }, "action":"Create", "mappedActionV2":{ "extraField":"", "name":"createEvent" }, "integrationId":"c345dce0-50e3-4498-9433-1fddd3f4f1fd", "integrationType":"Splunk", "integrationName":"Splunk", "customerId":"5035e5cd-4791-4995-9154-037027f8e0b6" }

 

Additional Help