This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Network Management & Authentication
- ExtremeCloud IQ- Site Engine Management Center
- Feed Purview data into Splunk
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Feed Purview data into Splunk
Feed Purview data into Splunk
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
03-31-2014 02:56 AM
I've found the white paper on integrating Splunk with Purview, and it looks great, but I can't find any technical detail on how to get the data from Purview into Splunk. What's the process for bringing the data across?
12 REPLIES 12
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
04-17-2014 01:25 PM
It does, thank you 🙂
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
04-17-2014 02:10 AM
I forgot to mention another option: Splunk can query webservices using the application rest_ta in the Splunk applications store. If you point that data source to
"https://netsight_ip:8443/axis/services/AppIdWebService/getLatestFlowsData?maxRows=number_of_flows&searchString=&source=purview_ip"
(I've been trying hard to avoid the Hub to interpret the previous as a real http link and formating it its own way, but no luck. If you need to see the full format of the url above, right click on the link above, select copy link and paste it somewhere )
you get all flows in memory in purview with all their data. You will need to hack a bit with the coding of rest_ta application to process the data into Splunk but we can help you with that.
The problem with this approach is that every X seconds (the polling time in the rest_ta application) you get Y amount of flows (defined in the web service URL), irrespective if you already got them before which brings some challenges processing in Splunk duplicated flows, because you get them twice in successive webservices calls, or you may miss some flows because you didn't plan the number of flows to query and some of them have been aged before you issued the call.
Again, we are working finding solutions to these issues with specific Splunk configurations or redesigning the web service call to be published an update to the paper you already read
"https://netsight_ip:8443/axis/services/AppIdWebService/getLatestFlowsData?maxRows=number_of_flows&searchString=&source=purview_ip"
(I've been trying hard to avoid the Hub to interpret the previous as a real http link and formating it its own way, but no luck. If you need to see the full format of the url above, right click on the link above, select copy link and paste it somewhere )
you get all flows in memory in purview with all their data. You will need to hack a bit with the coding of rest_ta application to process the data into Splunk but we can help you with that.
The problem with this approach is that every X seconds (the polling time in the rest_ta application) you get Y amount of flows (defined in the web service URL), irrespective if you already got them before which brings some challenges processing in Splunk duplicated flows, because you get them twice in successive webservices calls, or you may miss some flows because you didn't plan the number of flows to query and some of them have been aged before you issued the call.
Again, we are working finding solutions to these issues with specific Splunk configurations or redesigning the web service call to be published an update to the paper you already read
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
04-16-2014 07:46 PM
Hi James,
Apologies for the delay, Purview has a syslog exporter for flows, the configuration is hidden since it was an addon during the last development days before releasing.
in the file /opt/appid/conf/appid/appidconfig.xml you can add a line like
In purview, edit the file /etc/rsyslog.d/50-default.conf and insert a line like:
daemon.err @
Then you can move to splunk and configure a syslog colector.
Another option that we are exploring is exporting the data stored in Netsight database to splunk using the JDBC conector in Splunk. That is still experimental since it involves manipulating the database in NetSight in ways that are not supported by GTAC, we will provide an update about this integration by the end of this quarter.
Apologies for the delay, Purview has a syslog exporter for flows, the configuration is hidden since it was an addon during the last development days before releasing.
in the file /opt/appid/conf/appid/appidconfig.xml you can add a line like
In purview, edit the file /etc/rsyslog.d/50-default.conf and insert a line like:
daemon.err @
Then you can move to splunk and configure a syslog colector.
Another option that we are exploring is exporting the data stored in Netsight database to splunk using the JDBC conector in Splunk. That is still experimental since it involves manipulating the database in NetSight in ways that are not supported by GTAC, we will provide an update about this integration by the end of this quarter.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
04-16-2014 07:46 PM
Yep, those details are added by netsight and not available when the syslog events are created.
You can get more data about a flow using the aproach in my other post using web services to access flow information. You get more data about the flow using web services but it is also more challenging in terms of scalability and flow processing to avoid processing duplicated flows entries or missing flow entries.
You can get more data about a flow using the aproach in my other post using web services to access flow information. You get more data about the flow using web services but it is also more challenging in terms of scalability and flow processing to avoid processing duplicated flows entries or missing flow entries.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
04-16-2014 07:46 PM
OK, I enabled the Splunk one, added the entry to rsyslod and now I'm getting data in Splunk Although I don't seem to be getting the User, Profile and Detailed location fields - are these added in NetSight rather than on Purview?
