The Axonius Splunk Add-On

Splunk TA?
Data sharing in Axonius goes both ways and makes for a more complete ecosystem.  You may be aware of our Adapter for Splunk, that allows you to get your Splunk data into Axonius, but did you know that we also have an TA for Splunk that allows for data ingestion and lookups the other way?  Using the Splunk TA, you can use your Axonius data in your Splunk instance and then imagine the possibilities.

Once you have the TA in place, you create the query for the data that you want to see ingested into Splunk, from the Axonius Console and then create a New Input on the TA.  Only the data and fields that you specify will be ingested and you can save resources with incremental updates. 

How to get the TA
Open your web console for Splunk and navigate to the Apps section.  In the Search field, just type in Axonius and hit Enter.

 

You will see TA Axonius available for Install.  Click on the Green Install button.

Enter your Splunk.com credentials and accept the terms and conditions.  Then click Login and Install

Axonius User Required Permissions

API Access -> API access enabled
- System and User Management -> View system settings
    - /api/settings/metadata
- System and User Management -> Run manual discovery cycle
    - /api/dashboard/lifecycle
- User Assets -> View users
    - /api/users
    - /api/users/views/saved
- Device Assets -> View devices
    - /api/devices
    - /api/devices/views/saved

How to configure the TA
Once installed, you can Open the App or Go Home.  Let’s Open the App, by clicking that bar and then the green Done button.

Global Settings

Lets click on the Configuration Settings tab, then the Add-on Settings.

You will need to add you Axonius Account API Key and Secret to the TA in order for an input to be able to pull data into Splunk.

Inputs

You will need to click on Create New Input at the top right corner, which will allow you to configure your connection to your Axonius instance from your Splunk instance.

The Add Axonius Saved Query configuration box will then pop up and look like the following (field requirements are listed below the diagrams):

Name: This is a title for you to describe what the connection is
note – the Name cannot contain spaces, recommend using underscores

Interval: How often data will be fetched (in seconds)
note - 86,400=1day

Index: Which Index you want the data placed
note - index will need to already be created in splunk console

Axonius Host: URL of the Axonius instance that you want to gather from
note – will need to use https:// even if you are not enforcing SSL

Entity Type: Devices or Users

Saved Query: Name of the query in Axonius Console that you are using to pull in data

Page Size: Number of records to be returned in each API call

API standoff (milliseconds): How long to wait before the next API call, if the data exceeds page size
note – Page Size of 1,000 and 50,000 records would need 50 API calls, standoff is the amount of time in between each successive pull to get to that 50,000

Dynamic Field Mapping: Allows you to take data from Axonius fields and map them to another field name in the Splunk ingest (JSON formatted)

Shorten Field Names: if you want to truncate field names, where applicable

Incremental Data Ingest: Entries newer than last fetch
note – this option allows for less data pull, as it will only pull data from the query that has been updated since the last pull

Enforce SSL Validation: If you want to force SSL validation of the connection

CA Bundle Path: Path to the SSL certificate information for validation

 

Verifying Data
Once the input has been created, you will now have the Name of the input created on the Inputs tab of the TA.

You can go back into your main page and go to the Search & Reporting section.  In the search bar, type in index={{Name_of_index_from_input}} and you should have information pulled in from the query.

1

Comments

0 comments

Please sign in to leave a comment.

Didn't find what you were looking for?

New post