    Splunk app for Solarwinds


      I am currently learning Splunk and found that an app was recently released to display Solarwinds data inside Splunk. I have created a simple dashboard with some pretty generic stats.


      Has anyone else had a chance to use this app,and if so what have you done with it?


          Can it display the alerts and events?



              It has 3 data input options


              Solarwinds Query -Queries the SW database.


              Solarwinds Alerts- This seems to be events not so much actual alerts. Still looking into


              Solarwinds Node Inventory.- Gather node info using api.

              I am currently learning Splunk.  I don't have admin access to Splunk actually install the app, but I'm curious as to what you get out of it so I can push for it to be installed.

                Thanks for the post. It does look like it will bring in anything you want with the generic data input.



                Here is the description from splunkbase.


                "The Splunk Add-on for SolarWinds allows a Splunk software administrator to collect SolarWinds alerts and SolarWinds asset inventory (network devices and their various attributes). This add-on also includes a generic input that allows you to schedule any SolarWinds query and index the corresponding output in Splunk.

                You can then directly analyze the data or use it as a contextual data feed to correlate with other application performance-related data in the Splunk platform."


                With the SolarWinds add-on for Splunk, you have the ability to ingest the following SolarWinds data sources:

                1- SolarWinds alerts
                2- SolarWinds asset Inventory (network devices and their various attributes)
                3- SolarWinds queries which is a generic data input that allows you to index the output of any SolarWinds select statement/query


                Deploy the spl file as a splunk app from Splunk Web using "Install App from File".


                • Using Splunk web go to “SolarWinds Add-on for Splunk” App
                • Click on “Configuration” tab
                • Enter the Credentials under the “Account” tab. These are the credentials needed to authenticate to the SolarWinds API. The username/password used should have the minimum permission needed to run the SolarWinds query via REST API
                • Enter the Solarwinds Server and port under “Add-on Settings”
                • Configure proxy if you have proxy between Splunk and SolarWinds

                Starting Data collection

                • Click on “Input” Tab from within the “SolarWinds Add-on for Splunk” App
                • Add new Input. You have 3 types:
                  • SolarWinds Alerts: This is an incremental poll that keeps track of last alert indexed in checkpoint file and queries the deltas for just the new alerts on next poll iteration. To configure, select the account used for authentication. Set the initial start time. Format allowed should follow "yyyy-MM-dd hh:mm:ss.%3f" for example “2017-01-16 10:15:01.54”.
                  • SolarWinds Node Inventory (network devices and their various attributes): This is snapshot poll. This input allows you to take a snapshot of all assets at every poll. We recommend keeping the poll interval high 12h (43200 seconds) or higher
                  • SolarWinds Query: This is a generic data input that allows you to index the output of any SolarWinds select statement/query. You can enter any SolarWinds select statement and index the output in splunk. This is snapshot poll as well so we recommend keeping the poll interval high as well

                Release Notes


                Version 1.0.0
                June 9, 2017


                  I think the possibilities are pretty endless using the generic data input. I don't have it installed yet but plan on doing it on our lab system soon.

                    Just leaving DC after attending Splunk .Conf and I will admit I wore my Solarwinds shirts while attending.   A few Splunk people asked if I use the app and what we are doing with it and I told them my hopes of maybe using it for performance data but now that Splunk v7 has the ability to collect and display performance data I am not sure what I will use it for.

                        I would have like to go to the conference but it was in DC..... yuck!  I still think I will eventually make use of the app for porting alerts over to Splunk

                            You don't like DC? I thought it was cool. I guess it was even better for those who brought family as they could go to museums and stuff during the conference. I live in a small northern WI town so anytime I get to a big city I like it.


                            Got to see what others were doing with Splunk and that was great. Hopefully if the SWUGs turns out to be a big enough success maybe one day Solarwinds will have a conference I like Ignite and VMWorld but those conferences sometimes have a feeling of a sales seminar.

                          I haven't even created a dashboard for it. I hope to soon. I am particularly interested in alerts and inventory. I just haven't had the time to do it.


                          I have searched SolarWinds and know that at least Splunk is getting data and indexing it. Maybe one day I'll be able to work on it.

                            This might be a way to do long term trending using splunk as a data warehouse... something I think Jfrazier has been asking for for a long time from SolarWinds.  Perhaps this is why SolarWinds made the new Log Manager module?

                              Cool dashboard for Splunk. I know my indexer ingests the data from Solarwinds, but I just never got around to creating a dash board... too busy with my other jobs. If you could share it I would greatly appreciate it to see how I can integrate it.



                                We ended up using Splunk as our single pane of glass and have it it receiving messages from Orion, so essentially reversed roles with it. Orion was missing some key elements in the alert console such as the ability to acknowledge a message and run an action such as an external program that created a trouble ticket.  (I wish Orion or Kiwi would have supported this)

                                I ended up skipping using the Splunk App altogether for this reason. We have a lot of third party tools that tie into Splunk as our central message repository. Due to the different products following different upgrade paths and some products being outside of my teams immediate control we decided to use generic messaging such as Syslog, SNMPTRAP, or Email to receive alert messages into Splunk. We found Email especially useful because some of our monitoring is done out in the cloud, outside of our network and receiving email through our firewalls is way easier than poking a lot of holes in them to support other methods.

                                Out workflow for a message goes something like this

                                Orion - Node Down --> Splunk Console --> NOC Operator - person reviews, looks for change tickets or duplicates -->person clicks on button for a ticket -->Ticketing System