Dell EMC ECS Add-on for Splunk
Overview
Details
Dell EMC ECS Add-on for Splunk
The Splunk Technology Add-on (TA) for Dell EMC ECS collects data from ECS to be used by the Dell EMC ECS App for Splunk Enterprise.
Requirements
Splunk Enterprise:
- Version 7.1.x, 7.2.x and 7.3.x
Python:
- Version 2.7
Tested on CentOS, Windows.
Dell EMC ECS Add-on for Splunk TA should be installed on a Heavy Forwarder and Search Head.
This app also requires the Dell EMC ECS App for Splunk
Recommended System Configuration
Standard Splunk Enterprise configuration of Search Head, Indexer, and Forwarder.
Installation
Documentation for this add-on is located here.
This TA can be installed through UI using following steps.
- Log in to Splunk Web and navigate to Apps > Manage Apps.
- Click
install app from file. - Click
Choose fileand select Dell ECS Add-on installation file. - Click on
Upload. - Restart Splunk.
Application Setup
Configurations
After Installation
- Click on the
Configurationtab next to theInputstab. - Click on the
Addbutton to add an ECS VDC. - Provide the ECS VDC Management credentials and Click on
Add.
| Parameter | Required | Description |
|---|---|---|
| Account name | Yes | Provide unique name to uniquely identify Dell EMC ECS Sever details |
| Server Address | Yes | Provide the Server Address to a VDC node (IP Address) |
| Username | Yes | Provide User name of Dell EMC ECS server |
| Password | Yes | Provide Password of Dell EMC ECS server |
| *Verify SSL Certificate | Optional | Use SSL to access the ECS Management API |
* Note that if the SSL checkbox is enabled, then you need to append the API certificate in $SPLUNK_HOME/etc/apps/TA-dellecs/ta_dell_ecs/requests/cacert.pem file. For safety purposes, please take a backup of cacert.pem before appending the SSL certificate
- To configure log-level, Select
Logging. - Select the log level from dropdown and click on
Save.
Inputs
- Go to the apps list and open
Dell ECS Add-on for Splunk. From the inputs screen, click onCreate New Input. It has multiple input configurationDell ECS Input,Dell ECS Namespaces Input,Dell ECS Buckets Input. Dell ECS Inputwill index all the data into the Splunk except Namespace and Bucket data.Dell ECS Namespace Inputwill index Namespace data only.Dell ECS Buckets Inputwill index Buckets data only.
Note that if multiple inputs are created with the same global account, there will be duplicate Events in Splunk.
| Parameter | Required | Description |
|---|---|---|
| Name | Yes | Provide unique name to uniquely identify a Dell EMC ECS Sever details |
| *Interval | Yes | Interval in seconds for the cron schedule. |
| Index | Yes | Index in which you want to store your data. |
| Global Account | Yes | Select previously configured ECS Server details. |
| Start Time | Optional | Start time in GMT from which Data Collection will start. "%Y-%m-%dT%H:%M". |
*The input will be triggered at every interval time and fetch the data from Dell EMC ECS endpoints. cron schedule e.g. for every one minute cron schedule will be /1 * * *.
Search
To see data logged by the Dell ECS Add-on for Splunk, select the Search tab. Search Dell_ECS_index macro.
External Libraries used
| Libraries(Python) | Version | Repository link | License |
|---|---|---|---|
| croniter | 0.3.25 | https://pypi.org/project/croniter/ | https://github.com/kiorky/croniter/blob/master/docs/LICENSE |
| dateutil | 2.6.1 | https://pypi.org/project/python-dateutil/ | https://github.com/dateutil/dateutil/blob/master/LICENSE |
Troubleshooting
To troubleshoot Dell ECS Add-on, check following log files
$SPLUNK_HOME/var/log/splunk/ta_dell_ecs_dell_ecs_input.log
$SPLUNK_HOME/var/log/splunk/ta_dell_ecs_dell_ecs_namespaces_input.log
* $SPLUNK_HOME/var/log/splunk/ta_dell_ecs_dell_ecs_buckets_input.log file.
User can search for ERROR logs in the Splunk using following query
* index="_internal" source=**ta_dell_ecs_dell_ecs_*.log** ERROR
Release Notes
Version 1.1.0
Added support of Splunk 8.x
Made Add-on Python2 and Python3 compatible
Added proxy support
Added extraction for CAS logs