You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+18-10Lines changed: 18 additions & 10 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,7 +6,7 @@ This Splunk [Add-On](https://docs.splunk.com/Splexicon:Addon) begins to solve th
6
6
7
7
This Add-on is not supported by Cisco Systems or the Cisco Technical Assistance Center (TAC). It was developed by me, as a member of the community.
8
8
9
-
## Development Overview
9
+
## Development
10
10
11
11
I used the [Splunk Add-on Builder](https://splunkbase.splunk.com/app/2962/) to create this Add-on. This approach provides a solid framework to build a python-based [scripted input](https://docs.splunk.com/Splexicon:Scriptedinput).
12
12
@@ -38,7 +38,7 @@ Simply install the app and click on the Inputs tab. Click the 'Create New Input'
- Name : This name is the name of the input. It isn't used anywhere except the Add-on logs (see [Troubleshooting](#troubleshooting)) and can be a friendly name for the Intersight account.
44
44
- Interval : This interval (in seconds) controls how often the input will retrieve data from Intersight. I think `60` seconds is probably ideal, but anything between `30` seconds and `300` seconds is probably reasonable.
@@ -52,7 +52,7 @@ Simply install the app and click on the Inputs tab. Click the 'Create New Input'
52
52
- Enable Inventory : This multi-select enables the various inventory import options. All, some, or none of these items may be selected. [See below for more details](#the-data-from-intersight-in-splunk) on what is included in the various options.
53
53
- Inventory Interval : Inventory records don't need to be imported from Intersight at every interval in a typical environment. This value selects how many intervals should occur between imports of these items. A selection of `1` here will import them on every interval. Perhaps if the Interval above is `60` seconds, then an Inventory Interval here of `300` will cause inventory and advisories to be imported a few times a day on every 300th run of this input. This is a sensible way to reduce the repetitive input of data that doesn't change that often. I would suggest a configuration that imports inventory at least once every 24 hours.
54
54
55
-
## Proxy Configuration
55
+
## Proxy
56
56
57
57
An HTTP proxy server may be configured for the Add-on by clicking on Configuration at the top of the page. Basic authentication should work, but hasn't been tested. Username and Password must BOTH be populated to send Basic Authentication to the proxy server. If either field is empty, the Add-on will attempt to use the proxy server without authentication.
58
58
@@ -68,7 +68,7 @@ An HTTP proxy server may be configured for the Add-on by clicking on Configurati
68
68
69
69
These fields are assembled into a proxy URL such as `http://username:[email protected]:3128`.
70
70
71
-
## The data from Intersight in Splunk
71
+
## Data
72
72
73
73
Each API endpoint in Intersight becomes a different sourcetype in Splunk as shown below. Some of the Inventory types pull data from multiple API endpoints in Intersight to get a complete data set.
74
74
@@ -102,7 +102,7 @@ The technique of using `| dedup Moid` is applicable to all sourcetypes except ci
102
102
103
103
You may also notice, if you are very familiar with the Intersight API, that there are a few nodes of JSON that are missing in Splunk that are present elsewhere. This is due to some editorial pruning that is occurring in the Add-on. There are some object references in the API results that simply don't serve any purpose in Splunk. The Add-on is pruning these to improve the overall experience and optimize the amount of data that gets pushed to Splunk.
104
104
105
-
## More examples
105
+
## Examples
106
106
107
107
One for each sourcetype...
108
108
@@ -111,19 +111,23 @@ One for each sourcetype...
111
111
| cisco:intersight:aaaAuditRecords|`index=* sourcetype=cisco:intersight:aaaAuditRecords MoType!=iam.UserPreference \| rename MoType as Type \| rename MoDisplayNames.Name{} as Object \| eval Request=json_extract(_raw,"Request") \| table source, Email, Event, Type, Object, Request`|
| cisco:intersight:tamAdvisoryInstances|`index=* sourcetype=cisco:intersight:tamAdvisoryInstances \| dedup Advisory.Moid \| rename Advisory.BaseScore as CVSSBaseScore \| rename Advisory.AdvisoryId as Id \| rename Advisory.ObjectType as Type \| rename Advisory.Name as Name \| rename Advisory.Severity.Level as Severity \| rename Advisory.CveIds{} as Attached_CVEs \| table source, Name, Id, Type, CVSSBaseScore, Severity, Attached_CVEs`|
114
-
| cisco:intersight:computePhysicalSummaries | `index=* sourcetype=cisco:intersight:computePhysicalSummaries \| dedup Moid \| rename NumCpuCoresEnabled as Cores \| rename TotalMemory as RAM \| eval RAM=RAM/1024 \| rename OperPowerState as Power \| rename AlarmSummary.Critical as Criticals \| rename AlarmSummary.Warning as Warnings \| table source, Power, Name, Model,Serial, Firmware, Cores, RAM, Criticals, Warnings`
114
+
| cisco:intersight:computePhysicalSummaries | `index=* sourcetype=cisco:intersight:computePhysicalSummaries RegisteredDevice.ConnectionStatus!=Unclaimed \| dedup Moid \| rename NumCpuCoresEnabled as Cores \| rename TotalMemory as RAM \| eval RAM=RAM/1024 \| rename OperPowerState as Power \| rename AlarmSummary.Critical as Criticals \| rename AlarmSummary.Warning as Warnings \| rename RegisteredDevice.ConnectionStatus as Status \| eval Health=case(Criticals >= 1,"Critical", Warnings >= 1,"Warning", 1=1, "Healthy") \| table source, Power, Status, Health, Name, Model,Serial, Firmware, Cores, RAM`
Here's an example where we summarize our compute inventory and demonstrate how we might extract information from the Model field of UCS Servers...
125
+
126
+
`index=* sourcetype=cisco:intersight:computePhysicalSummaries | dedup Moid | chart count by Model | rex field=Model "^(?<series>.*?)[-\d]" | rex field=Model "(?<model>\w{0,4}\d{3,4}\w?)" | rex field=Model "(?<generation>M\d)" | rex field=Model "M\d(?<variant>\w+)" | rex field=Model "(?<gen_variant>M\d\w*)" | table Model count series model generation variant gen_variant`
127
+
124
128
Here's an example where we join the computePhysicalSummaries and the networkElementSummaries into a combined table...
The default maximum size for an event in splunk is 10KB. It is possible (even likely) that you will have aaaAuditRecords that exceed this size. While it is possible to increase this value so that Splunk can ingest these very large events, a look at the data indicates that the contents of the Results field was always the culprit and often not particularly useful in these large records. If the event is less than 10KB in size, it passes through to Splunk with the Results JSON structure intact. If the event would have exceeded 10k, the Results field is replaced with the value `TRUNCATED` so that the base audit log data is still available in Splunk and able to be extracted properly. Such truncated records can be found using the following search.
143
147
@@ -147,6 +151,10 @@ A further look at the data will indicate that most of these are actually related
147
151
148
152
`index=* sourcetype=cisco:intersight:aaaAuditRecords Request=TRUNCATED MoType!=iam.UserPreference | rename MoDisplayNames.Name{} as name |table source, Email, Event, MoType, name`
149
153
154
+
Everything else has been pruned of unhelpful data to the point that it shouldn't exceed the 10KB limit. If anything does exceeed that 10KB, it will be logged...
155
+
156
+
`2022-07-15 12:45:20,726 INFO pid=12445 tid=MainThread file=base_modinput.py:log_warning:302 | EXAMPLE | Record exceeds 10k limit! Moid=62b22eeb656c6c2d32394990 Type=hyperflex.Node`
157
+
150
158
## Troubleshooting
151
159
152
160
The most useful thing will be the log file from the Add-on. This will be called `ta_intersight_addon_intersight.log`. I suggest tailing this log if you're trying to figure out what is happening. Adjust the path to get to your Splunk directory as necessary...
@@ -155,7 +163,7 @@ The most useful thing will be the log file from the Add-on. This will be called
155
163
156
164
It should also be available via the following search...
Note that if you have multiple inputs (i.e. different Intersight accounts/appliances) configured in the Add-on, the log messages for all of the configured inputs will be interspersed. The Name from the 'Add Input' dialog above is used in the log to differentiate. In these logs, the name EXAMPLE was used.
0 commit comments