Deployment Guide - Splunk Search from NetBrain Map

Use Case

Description

Using the publicly available Splunk Enterprise REST API, NetBrain has created an integration compatible with NetBrain Integrated Edition release 8.0 (and newer) that enables a NetBrain end user to easily search Splunk logs from a topology-based spatial troubleshooting context - a user created map.

With this integration,

• Users can search historical logs (network syslog and any other logs) from Splunk Enterprise with simple inputs provided from UI.
  • Search Keywords
  • Source
  • Time Range
• NetBrain can overlay the log search result on a map with a link to the search result in Splunk Enterpise.

NetBrain Map with Splunk Log Search Overlay

Below are example representations of the Splunk search inputs and log data overlay on NetBrain map.

Pre-requisites

Application Version

Network Connectivity

User Account and Privileges

Deployment Instructions

Deploy the NetBrain Splunk API Adaptor

1. Download the NetBrain Splunk API Adapter, Splunk API Adaptor.py, from this article and stage locally on the machine typically used to connect to the NetBrain User Interface.
2. Using a web browser, login to the NetBrain System Managemetn UI using the System Admin credentials.
   • http://<NetBrain Web Server IP>/admin
3. In the NetBrain System Management UI, Navigate to Operations > API Adaptors.
4. In the API Adaptors screen, click "Add".
5. Complete the Add Adaptor dialog screen as follows:

   • Adaptor Name: Splunk API Adaptor
   • Description:NetBrain Splunk API Adaptor
   • Script: <Splunk API Adaptor.py>

6. Review the adaptor configuration, then click "Save".
7. Log out of the NetBrain Integrated Edition System Management UI.

Create Splunk API Server Connection

Note: If the environment has been deployed with multiple Front Servers, repeat this section for each of the Front Servers.

1. Using a web browser, login to the NetBrain Desktop UI using the System Admin credentials.
   • http://<NetBrain Web Server IP>
2. Navigate to the NetBrain API Server Manager.
   • Domain Management > Operations > API Server Manager
3. In the API Server Manager screen, click "Add".
4. Complete the Add API Server dialog screen as follows:

   • Server Name: Splunk API Server <Front Server>
   • Description: Splunk
   • API Source Type: "Splunk API Adaptor"
   • Endpoint: Splunk instance endpoint (ex "http://192.168.28.253:8089")
   • Username: Splunk account's username
   • Password: Splunk password
   • Front Server/Front Server Group: Select FS/FSG which would have reachability to Splunk Enterprise server

5. Click "Managed Devices: 0" to assign Splunk Search enabled devices to this API Server.
   • Click "+ Device".
   • Select "Device Type" radio button.
   • Select All Device Types.
   • Click ">>", then click "OK" two times to same the device assignment.
6. Click "Test" to initiate a connectivity test between the NetBrain front server and the Splunk Enterprise instance configured. Pictures below are the results of a successful connectivity test followed by two typical failure scenarios: Incorrect credentials and connectivity between NetBrain and Splunk Enterprise.

Successful Connection
Error Scenario: The entered credentials are incorrect. Possible Resolution: Confirm credentials specified in the Splunk API Server configuration and retry.
Error Scenario: Splunk Enterprise endpoint is unreachable. Possible Resolution: Confirm that the NetBrain Front Server(s) can reach the Splunk Enterprise platform on Port 8089 via HTTP using 3rd party tools.

Import Splunk Data View Template

1. Download the NetBrain Splunk Search Dataview Template, Splunk Device Log Search.xdvt, from this article and stage locally on the machine used to connect to the NetBrain User Interface.
2. Using a web browser, login to the NetBrain Desktop UI with the System Admin credentials.

   • http://<NetBrain Web Server IP>

3. Navigate to the NetBrain Data View Template Manager.

   • Start Menu (The Four Dashed Lines) > Dynamic Map > Data View Template Manager

4. Right-Click “Shared Templates in Tenant”, then click “New Folder”.

5. Name the folder Splunk Search.

6. Right-Click the “Splunk Search” folder, then click “Import Template”.

7. In the Import Data View Template dialog, click “Add Data View Template …”.

8. Select the Splunk Search.xdvt file, then click “Open”.

9. Confirm that the Import Data View Template dialog screen reflects the following information:

   • Name: Splunk Device Log Search.xdvt

   • Size: 9.02k

   • Status: Ready

   • Related Resources: 1 Parser

10. Click “Import” to initiate the import of the data view template to the NetBrain system

    • Note: On successful completion, the status will transition from Ready to Successful. If any other status is reported, retry the operation, then contact NetBrain support.

11. Navigate to NetBrain Parser Library

    • Start Menu (The Four Dashed Lines) > Automation > Parser Library

12. In the Parser Library, search for “Splunk“. One Splunk parser should be returned in the search results:

    • Splunk Device Log common search for DVT

13. Double-click Splunk Device Log common search for DVT to open the custom parser in the Parser Editor.

14. In the Parser Editor, update the Parser Type associated with the Splunk Device Log common search for DVT to the following:

    • Parser Type: API, Splunk API Adaptor

15. Click the Save icon in the upper-right corner of the screen, then close the browser tab.

Setup Default Source and Source Type Options

1. Navigate to Data View Template Manager.
   • Start Menu (The Four Dashed Lines) > Data View Template Manager
2. Search for "Splunk" > Select Splunk Device Log Search.
3. Click "Supporting Variables: 5 Variables".
4. Expand Input Variables.
5. Select source > Replace "NetBrain Lab" to the actual source name of Splunk network Syslog in Option Values. Keep the pipe ("|") as a delimiter.
6. Select sourcetype > Replace "Network Syslog" to the actual source type name of Splunk network Syslog in Option Values. Keep the pipe ("|") as a delimiter.
7. Click Save.

Add Splunk Link Drill-down Action

1. Navigate to Single Pane of Glass URL.
   • Start Menu (The Four Dashed Lines) > Single Pane of Glass URL
2. Select Generic Variable tab.
3. Click "+ Add" button to add a Splunk base URL.
   • Name: Splunk
   • Value: <Splunk Enterprise URL> Example: http://192.168.28.253:8000
4. Click "OK" to save it.
5. Select Page Link tab.
6. Click  "+ Add Vendor" to add a new vendor category. Name it as "Splunk".
7. Select Splunk vendor, then click "+ Add Page Link" to add a Splunk Device Log search result page link.
   • Page Name: Splunk Device Log
   • Page URL:
     • Click the Insert button on the right end of this field. Select Insert Generic Variable.
     • Select Splunk, then click OK.
     • In the field, after {$$Splunk}, type "/en-US/app/search/search?sid=". Point the cursor to the end of the string.
     • Click the Insert button on the right end of this field. Select Insert Parser Variable.
     • From the pop-up panel, search "Splunk".
     • Select Shared Parsers in Tenant > Splunk Device Log Search > Splunk Device Log common search for DVT > searchID, then click OK.
     • Verify the final Page URL: {$$Splunk253} /en-US/app/search/search?sid= {$searchID}
8. Click OK to save.
9. Open Splunk Device Log Search DVT.
10. Select SplunkLogs (table) data view unit under the device icon from the DVT.
11. From the panel on the bottom, click "+ Add Action", and select SPOG URL.
12. Select Splunk > Splunk Device Log, then click select.
13. Click Save to save the DVT.

Add Splunk Search Data View Template to Favorite Runbook Action

1. Click on "+" > "New Runbook" to initiate a new runbook.
2. Click the green "+" button > Built-in > Data View Template > Add.
3. Search for "Splunk" > select Splunk Device Log Search DVT > click "OK".
4. Click Runbook Node Menu (The Three Dashed Lines beside Splunk Search DVT node)
5. Select "Save as Favorite".
6. Uncheck "Keep target devices" checkbox > click "Save".

Visualizing the Splunk Log Search Result with NetBrain Data View Template

On-Demand Splunk Log Search

1. From the NetBrain Desktop Management UI, open the desired map to do a Splunk device log search.

2. In Runbook tab, Click the green "+" button > Favorite > select "Splunk Device Log Search" > click "Add".

3. Expand Input.

4. Fill out the inputs with proper search criteria For example,

   • Search the last 15 minutes OSPF network Syslog

     • Search Keywords: OSPF

     • Source: <Network Syslog Source>

     • Time Range: Last 15 minutes

5. Confirm that the Data Source is set to Pull live data once.

6. Confirm that the objects (devices) are properly instrumented with the expected Splunk data.

   Note: Overlay of the Splunk log search result may take seconds-to-minutes to complete refresh depending on the number of devices on the map.

7. Click Splunk Logs to review the log search result from Data View Result Console.

Link to Splunk Search Result Page for Further Analysis

1. Click the drill down action of Splunk Logs > click Splunk Device Log.
2. The Splunk search result page of this device will be opened.

   •  Note: Splunk authentication is required. Login Splunk using your credentials if access is granted.

Troubleshooting

If there are any problems encountered during deployment or integration of NetBrain with Splunk Enterprise, contact NetBrain Support at support@netbraintech.com.