We have Event Management installed and get events from multiple sources like
- SCOM
- SolarWinds
- Splunk
- etc..
Splunk recently became a clustered environment and the that resulted in that we have multiple sources for Splunk where it includes the hostname.
The old Event Ruels that I had was based on the old hostname, but now since we can recieve events from more then one Splunk host/source, I don't know if there's a good way to handle this. I assume there is, but I don't know of it yet.
The solution I went for as a quick fix was to remove the source in Event Rule, so no matter what host name, the Splunk Rules will trigger - But this will impact Event Rules from other sources.
How can this be solved?
Wildcard does not work
Thanks for input.
Adding an insert rule on event table might be a solution. But I've read that adding business rules on em_event table is not recommended.
But I really appreciate the ideas here.
Please keep the ideas coming.
"Avoid writing business rules for event [em_event] tables, as they do not run in the current default REST URL that is used for event injection."
Sure thing!
When I define the source I need to specify where it's comming from and if we have 4 hosts that can send events, I don't want to create four copies of all Event Rules for Splunk in order to match if an event comes from Splunk.
However I think I found one way to solve this, and it was to create a condition on "Source instance" in the Event Filter step. This can be done since this is always "Splunk".
But still, I'd really like to know if there is any way to have like a wildcard source in the first Source step.
Kind regards
