Tracking Expected hosts

Introduction to Expected hosts tracking

Tracking expected relates to the Data Hosts tracking component, named splk-dhm, and can be used to track the hosts that are expected to be sending data to Splunk but have not been discovered yet due to inactivity.

In a nutshell:

  • The core concept of TrackMe’s splk-dhm component is to discover hosts automatically by inspecting data being forwarded to Splunk continuously

  • In some cases, you may need to track a list of machines such as injecting hosts from a CMDB

  • This can be achieved from TrackMe version 2.0.64 with some additional logics documented in the present page

Injecting Expected Hosts in an existing TrackMe tenant

The following examples demoes a tenant mytenant which is already configured to track a number of indexes where machine related events are indexed.

For the purpose of the documentation, we have a CMDB lookup containing the list of firewalls which are due to send data to Splunk, we can query these hosts as:

| inputlookup hosts_cmdb.csv | fields host, type, active

``` filter on active firewalls ```
| where (type="firewall" AND active=="True")
screen01.png

We have configured a tenant and we want to make sure that any host listed in our CMDB, makes it to our tenant, if the host does not yet send data to Splunk, it should appear in red.

To achieve this, we will create a custom report and schedule as convenient, such as every 12 hours, the following search:

| inputlookup hosts_cmdb.csv

``` filter on active firewalls ```
| where (type="firewall" AND active=="True")

``` init tenant, object and alias ```
| eval tenant_id="01-feeds", object="key:host|" . host, alias=host, object_category="splk-dhm"

``` init further required fields ```
| eval anomaly_reason="unknown", data_eventcount=0, data_first_time_seen=now(), data_index="", data_lag_alert_kpis="all_kpis", data_last_ingest=now(), data_last_ingestion_lag_seen=0, data_last_lag_seen=0, data_last_time_seen=now(), data_sourcetype="", latest_flip_state="discovered", latest_flip_time=now(), monitored_state="enabled", object_previous_state="unknown", object_state="red", priority="medium", search_mode="tstats", splk_dhm_alerting_policy="global_policy", splk_dhm_st_summary="{}", splk_dhm_st_summary_compact="{}", splk_dhm_st_summary_full="{}", splk_dhm_st_summary_minimal="{}", status_message="unknown", tracker_runtime=now()

``` set the keyid (md5 of the object field) ```
| eval key=md5(object)

``` This is required, TrackMe will automatically update indexes and sourcetypes once the host is active ```
| eval data_index="_internal", data_sourcetype="splunkd"

``` lookup the current collection, and exclude any already discovered entity ```
| lookup trackme_dhm_tenant_mytenant _key as key OUTPUT _key as found
| where isnull(found) | fields - found

``` Finally add to the collection ```
| outputlookup key_field=key append=t trackme_dhm_tenant_mytenant
| stats count as added_hosts

After the first execution of this search, hosts are visible in the TrackMe tenant in a red state:

screen02.png

As soon as hosts are active and match entities from our CMDB lookup, TrackMe updates their Metadata accordingly:

screen03.png

Finally, ensure to save and schedule this report such that any host present in the CMDB lookup but unknown to TrackMe yet is added to the tenant:

screen04.png screen05.png