-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathRT_Connect-README.txt
104 lines (73 loc) · 3.62 KB
/
RT_Connect-README.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
RT Connect
==========
RT Connect is a Splunk app that allows you to call the RT or RTIR REST API
with data from triggered Splunk alerts.
RT Configuration
================
RT Connect assumes the following RTIR configuration:
* RT Connect uses RT's REST2 API with tokens. These two features are available
as free extensions:
- RT::Extension::REST2 https://metacpan.org/pod/RT::Extension::REST2
- RT::Authen::Token https://metacpan.org/pod/RT::Authen::Token
* An RT user account with sufficient rights to create tickets and set custom
fields.
Once the extensions above are installed, create an RT user account that can
be used for the connection from Splunk. The user should have rights to
create tickets in the Incident Reports queue and set custom fields.
The user will also need the ModifySelf and ManageAuthTokens rights. These
can be granted to groups or users in Admin > Global > Group Rights on the
Staff tab.
While logged in as the new Splunk user, you can create a token at
Logged in as > Settings > Auth Tokens. Copy the new token for used when
setting up the Splunk integration.
* The RTIR REST interface must be accessible from the Splunk server.
Splunk Configuration
====================
This app has been tested on Splunk version 7.3.
* The core alert is run by a Perl program in rt_connect/bin/rt_connect.
By default this uses the system perl in /usr/bin/perl. After installation
you can update the #! line for a perl in a different location, if needed.
* The Perl program uses a module called "JSON" for JSON parsing. This is not a
core module, so you will need to install it either via your Linux packaging
system or manually.
* If your RT system is accessible through https, you also need to install the
IO::Socket::SSL module.
* Log into Splunk as an administrator and install the app from the tar file.
* Click the gearbox next to Apps or select Apps > Manage apps from the menu.
* Click on Install from file and locate the RT_Connect tar.gz file. Note that
Splunk may prompt you to restart after installing, so the app should be
installed at a time when Splunk can be restarted.
* When prompted, add connection details for your RTIR instance:
Server Base URL: https://<your.server>/REST/2.0/
API Token: The token you created above in RTIR.
* You can now create a new Splunk alert and select rt_connect as the action.
The details for the ticket to be created are available in the set-up screen
including the queue (by Id), Requestor, Subject, email content, and custom
fields. You can use Splunk variables for any of these fields.
Adding a custom field
=====================
in /opt/splunk/etc/apps/rt_connect
1 - add the field in the UI
in default/data/ui/alerts/rt_connect.html
add a <div class="control-group"> stanza, by copying an existing one and
changing the parameter name, id and default value
ex:
<div class="control-group">
<label class="control-label" for="rt_hostname">Hostname</label>
<div class="controls">
<input type="text" name="action.rt_connect.param.rt_hostname" id="rt_hostname" value="$result.hostname$"></input>
<span class="help-block">
Default: the <tt>hostname</tt> field.
</span>
</div>
</div>
the id/parameter name is the custom field name, lower cased and with spaces replaced by underscores, ie 'MAC Address' becomes 'mac_address'.
2 - add the mapping between custom field name and RT id
in bin/rt_connect
in %cf_name_to_id add a line '<CF Name>' => <id>
ex:
'Hostname' => 23,
Repository
=====================
The source code for this app is available at
https://github.com/bestpractical/splunk-rt-app