Feeds - Tags enrichments management
Tags enrichments for splk-dhm/splk-mhm
TrackMe version 2.0.53
These instructions require TrackMe version 2.0.53 as some enhancements were made for this purpose
For the Data Hosts tracking and Metric Hosts tracking components, tag enrichments rely on a lookup call approach which can be system wide customised.
You can use this feature to map TrackMe entities against any knowledge lookup in Splunk, such as your CMDB or Splunk Enterprise Security Assets and Identities lookups.
This relies on the two following macros:
# splk_dhm_tags
[trackme_get_splk_dhm_tags]
definition = `trackme_tags_default_message`
iseval = 0
# splk_mhm_tags
[trackme_get_splk_mhm_tags]
definition = `trackme_tags_default_message`
iseval = 0
By default, these macros refer to the macro trackme_tags_default_message:
[trackme_tags_default_message]
definition = eval tags = "Tags enrichment is not configured yet, consult the configuration UI TrackMe manage and configure."
iseval = 0
In the user interface, the tags enrichments can be accessed as follows:
Configuration for splk-dsm/splk-mhm
The configuration is very simple, let’s assume with the example above that we have a CMDB lookup containing the following fields:
asset: defines the value for the asset (could be hosts, etc)
domain: a domain context
location: location information
tags: The actual tags for that asset, these values can be searched and filtered from the user interface
In a simplistic manner, you would update the macro trackme_get_splk_dhm_tags for splk-dhm and trackme_get_splk_mhm_tags for splk-mhm to:
lookup cmdb_demo asset as alias
Notes: the alias represents the raw name of the entity without any addition from TrackMe.
At the next call, TrackMe performs the call to the lookup accordingly:
You can of course include much more content to the macro, such as restricting the output or manipulating the results if there is no match in your CMDB and so forth.
Filtering on tags from the user interface:
