Splunk versions:
Splunk 4.0 and higher
Platforms:
Windows Vista, 7, 2008 with Powershell 1.0 installed
SCOM versions:
Tested on SCOM 2007 R2 and later. The add-on has no known dependencies on R2, so it should work with R1. The legacy MOM environment is not supported.
We recommend that the add-on be installed on the SCOM root server.
Powershell 1.0 must be installed and the SCOM Powershell snap-in must be registered. Registration happens automatically when the SCOM operations console is installed.
NOTE: By default Powershell has a security policy enabled that restricts execution of user scripts from the command line. To overcome this, we change the execution policy to the less restricted RemoteSigned
mode each time the Powershell script is called. See http://ss64.com/ps/set-executionpolicy.html for more information.
This add-on is community suported. This means that there's no formal support from Splunk available for this add-on, but free support is available on Splunk Answers and questions, bug reports, and feature requests will be addressed on a best-effort basis by the add-on's author or other community members.
.tar.gz
format so you'll need a tool like 7Zip to decompress) and place the extracted scom
folder into %PROGRAMFILES%\Splunk\etc\apps
splunk restart
command or the GUI)The add-on provides a setup page to configure SCOM-specific settings like SCOM hostname, polling interval, and inputs. This info is then written to bin\scom_client.xml. The powershell scripted input reads its configuration from this file each time it starts up.
You can select whether to enable or disable forwarding for all events and/or alerts from the SCOM database. If the checkbox is selected, the script will request all events/alerts starting with the very first event/alert and forward those to Splunk. When the script reaches the most recent event/alert, it will switch to polling mode; in polling mode, the script waits for new events/alerts and forwards them as soon as they become available. No events/alerts filtering is available through the setup screen-- you can either get all events/alerts or none.
Our tests showed a throughput of about 3,000 events/min on a Xeon 3Ghz/4Gb Win2008 with full SCOM and Splunk installed at the same machine. The Powershell client process consumed around 3Gb of RAM while 800,000 events were being forwarded; the average CPU usage was 25%.
As mentioned above, we recommend that the add-on be executed on the same box as the SCOM root server. If you do need to run it remotely:
Mapping of SCOM field names to Splunk field names is hardcoded in the scom_client.ps1 script, but can be easily modified as needed in that script.
Below is the full field mapping for alerts:
SCOM
Splunk
----------------------------------------------------
--------------------
TimeRaised
_time
MonitoringObjectDisplayName
ComputerName
Severity
Severity
Priority
Priority
Category
Category
ResolutionState
ResolutionState
Id
Id
ProblemId
ProblemId
Owner
Owner
LastModifiedBy
LastModifiedBy
Description
Message
Events also have their fields mapped:
SCOM
Splunk
----------------------------------------------------
--------------------
TimeGenerated
_time
Channel
LogName
PublisherName
SourceName
Number
EventCode
CategoryId
EventType
LevelId
Type
MonitoringObjectDisplayName
ComputerName
User
User
CategoryId
TaskCategory
Id
Id
Description
Message
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.