The SignifAI Community Hub

Welcome to the SignifAI Community Hub.
This is the place for you to find something new, express your thoughts, share and collaborate with other people. You'll find comprehensive guides and documentation to help you start working with SignifAI as quickly as possible, as well as support if you get stuck. Let's jump right in!

Splunk

Integrating with Splunk

Integrating with Splunk Using a Web Collector

Splunk allows you to collect, analyze, and search machine data that is generated by your infrastructure logs.

Connect Splunk logs monitoring to SignifAI to get notified of specific searches and key terms reports and correlate alerts and searches with your other metrics and incidents.

Supported Versions

SignifAI currently supports:

  • Splunk Light
  • Splunk Cloud
  • Splunk Enterprise version 6.3 and above.

Web Collector Installation

  1. In your Splunk console, start search for the relevant events.
  2. Save your search as an alert.
  3. Configure your alert conditions and choose the Webhook as the delivery method.
  4. Log in to the main SignifAI console and navigate to the Sensors tab.
  5. Select Splunk
  6. Copy the SignifAI collector URL and paste it into the Webhook Endpoint.

How to Enrich Splunk Search

SignifAI supports Splunk metadata to enrich the alert data. By using the Splunk tokens it is possible to leverage any search data, including search metadata and values from the first row of the search results.

  1. To access search metadata, use the format $<fieldname>$. For example, $app$ for the App context for the search.

  2. To access field values from the first result row that a search returns, use the format $result.<fieldname>$. For example, $result.host$ for the host value and $result.sourcetype$ for the source type.

You can leverage any of the Selected Fields in the Splunk search.
You can add any interesting fields to the Selected Fields to make the data available as a variable however the following fields will be automatically provide hints to the SignifAI correlation engine and we encourage you to use them:

"app": will be automatically parsed as APPLICATION_NAME,
"application": will be automatically parsed as APPLICATION_NAME,
"application_name": will be automatically parsed as APPLICATION_NAME,
"cluster": will be automatically parsed as CLUSTER_NAME,
"computer": will be automatically parsed as HOST_NAME,
"dc": keys.will be automatically parsed as DATACENTER_NAME,
"datacenter": will be automatically parsed as DATACENTER_NAME,
"host": will be automatically parsed as HOST_NAME,
"host_name": will be automatically parsed as HOST_NAME,
"hostname": will be automatically parsed as HOST_NAME,
"transaction": will be automatically parsed as EVENT_ID,
"transaction_id": will be automatically parsed as EVENT_ID,
"user": will be automatically parsed as USER_NAME

If you wish to add any other hint - please contact us and we will be happy to add it in less than 24 hours.

Need help with the integration?

Contact us at: support@signifai.io and we will be happy to help.

Splunk

Integrating with Splunk