Wildcard on Event Rule source field?

Go to solution
Henrik Jutterst
Tera Guru

‎06-19-2023 11:59 PM

We have Event Management installed and get events from multiple sources like

  • SCOM
  • SolarWinds
  • Splunk
  • etc..

Splunk recently became a clustered environment and the that resulted in that we have multiple sources for Splunk where it includes the hostname.

 

The old Event Ruels that I had was based on the old hostname, but now since we can recieve events from more then one Splunk host/source, I don't know if there's a good way to handle this. I assume there is, but I don't know of it yet.

 

The solution I went for as a quick fix was to remove the source in Event Rule, so no matter what host name, the Splunk Rules will trigger - But this will impact Event Rules from other sources.

 

How can this be solved?

 

Wildcard does not work

HenrikJutterst_0-1687244374494.png

 

Labels:
0 Helpfuls
  • 690 Views
1 ACCEPTED SOLUTION

Go to solution
Henrik Jutterst
Tera Guru

‎07-03-2023 06:03 AM

It seemed like we used an old version and fixed in 7.3.0 of the "Splunk Add-on for ServiceNow".

 

After the 7.3.0 version they fixed the source field:


"New features
Version 7.3.0 of the Splunk Add-on for ServiceNow includes the following new features:

 

 

  • Updated the default value of the Source and Source instance column for the ServiceNow Event Integration.
    Before the Source column used Splunk-<hostname_of_splunk_machine> as a value and the Source instance column used Splunk as a value.
    Now the Source column uses Splunk-TA as a value and the Source instance column uses Splunk-<hostname_of_splunk_machine> as a value."

 

 

Release history for the Splunk Add-on for ServiceNow 

View solution in original post

0 Helpfuls
5 REPLIES 5

Go to solution
Henrik Jutterst
Tera Guru

‎07-03-2023 06:03 AM

It seemed like we used an old version and fixed in 7.3.0 of the "Splunk Add-on for ServiceNow".

 

After the 7.3.0 version they fixed the source field:


"New features
Version 7.3.0 of the Splunk Add-on for ServiceNow includes the following new features:

 

 

  • Updated the default value of the Source and Source instance column for the ServiceNow Event Integration.
    Before the Source column used Splunk-<hostname_of_splunk_machine> as a value and the Source instance column used Splunk as a value.
    Now the Source column uses Splunk-TA as a value and the Source instance column uses Splunk-<hostname_of_splunk_machine> as a value."

 

 

Release history for the Splunk Add-on for ServiceNow 

0 Helpfuls