You're on your way to the next level! Join the Kudos program to earn points and save your progress.
Level 1: Seed
25 / 150 points
1 badge earned
Challenges come and go, but your rewards stay with you. Do more to earn more!
What goes around comes around! Share the love by gifting kudos to your peers.
Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!
Join now to unlock these features and more
in our Opsgenie there is already a team that has a Splunk integration.
But I need to establish another connection from Splunk to Opsgenie for my team.
As far as I understand Splunk only supports 1 API key for Opsgenie.
So can I use some forwarding mechanism, something like a dispatcher?
For example "Only those Splunk alerts which starts with 'WEB' are to be forwarded to my team, as a fall-back all other ones are to be forwarded to the other team".
We had the same problem. We solved it using the API integration in Opsgenie and sending POST request from Splunk.
We are using HTTP Alert Action https://splunkbase.splunk.com/app/5022/ in Splunk to send the POST requests alerts to the API. This is an action that you can select on the alerts.
You need to specify the API key. You can configure as many API incoming integrations in Opsgenie as you want and assign them to a team (the owner team) and you will receive a different API key per integration. Unfortunately, the API key is passed as a header and it is in clear in the Splunk action.
Hope it helps. If you need more information about this we dig deeper on this solution.
Okay, I got no answer on this. Maybe I can paint another solution which leads to another question.
So we have 2 teams in Obsgenie, let's name them Team Frontend (FE) and Team Backend (BE).
Currently FE is receiving all Splunk alerts, and BE gets nothing. A second plugin especially for BE didn't work.
So maybe we can create a new team, like Team Splunk-Receivers (SR). SR get all Splunk alerts, FE and BE get nothing. We create at least 2 alerts within SR, one that filters all frontend stuff, and one that gets the backend ones. Each alert adds a tag (e.g. FE and BE) to the alerts.
Now we have Team SR with all Splunk alerts, that are filtered and tagged.
Is it possible to forward those tagged alerts to another team, FE and BE to be more detailed?