splk-feeds - Creating and managing Hybrid Trackers

Introduction to Hybrid Trackers

Hybrid Trackers are created and managed through TrackMe, these are basically scheduled backend jobs orchestrating the entities discovery and management for TrackMe splk-feeds components:

  • Hybrid Trackers are scheduled reports which involve various TrackMe backend tools depending on the TrackMe component

  • A single Hybrid Tracker can discovery and manage a few or many entities according to the needs

  • Hybrid Trackers are integrating into a main application workflow, which involves concepts such as registering their execution statuses, registering run time performance etc

  • Hybrid Trackers can be created at any time, through guided user interfaces or TrackMe REST endpoints

  • In the context of Splunk feeds tracking, Hybrid Trackers can as well be created during the initial creation of the Virtual Tenant

  • When creating a trackers, the related knowledge objects will be owned by the owner defined at the Virtual Tenant level

  • TrackMe keeps records of the knowledge objects related to the Hybrid Trackers, therefore you need to manage its life cycle through TrackMe

overview.png

Creating an Hybrid Tracker for splk-feeds

These instructions are related to the splk-dsm component, options for splk-dhm/splk-mhm may differ but the logic underneath is similar.

To create a new Hybrid Tracker, access to the tenant then click on “Manage: Hybrid Trackers”:

screen1.png screen2.png

splk-dsm Hybrid Tracker creation wizard:

screen3.png

Once in the creation wizard, follow the guided steps:

Hybrid Tracker identifier:

  • Provide with a name for the Hybrid Tracker, this will be included in the name of the Splunk Knowledge Objects related to this tracker

  • In the example below, we will name our tracker “endpoints_os_data” as it deals with events originating from Operating Systems

screen4.png

Target Splunk deployment:

  • Specify if the data is searchable locally on the Splunk deployment, or if the trackers deals with a remote Splunk deployment

  • If a remote Splunk deployment is selected, TrackMe performs first a connectivity check to that environment

screen5.png

Search mode and search root constraint:

tstats versus raw

  • Then, define the search mode, you can choose between tstats and raw

  • tstats is generally recommended as it provides much faster and efficient searches relying on Splunk tsidx files

  • However, tstats requires all fields to indexed fields, while a raw search can deal with search time extracted fields

  • Therefore, raw search provides much more flexibility, but the cost is as well much higher

  • Depending on your context, raw searches may be fully valid but if a tstats search can be used equally, use tstats

root search constraint:

  • Define the Splunk root search constraint, the constraint comes pre-filled with normally expected constraints which requires valid data, excludes TrackMe related, etc

  • Add to your own search filters according to your needs, in our example we add an index filter “(index=linux* OR index=win*)”

screen6.png

break by logic:

  • You can optionally add an additional break by logic field

  • This defaults to “none” which means entities are going to match the combo index + ":" + sourcetype

  • For instance, we have an indexed field region, we can leverage it here to distinguish entities per region, our entities creation logic became index + ":" + sourcetype + ":" + region

screen7.png screen8.png

Time quantifiers:

  • Review and update if necessary indexed time earliest and latest, as well as time range earliest and latest

  • These time quantifiers drive the period of data that the tracker is going to cover

  • Generally, you will want to have a large event time range period to cover data with high latency, while the period for indexed time range can be more restricted for performance optimization purposes

  • What will work best and be the most efficient depends a lot on your context and environment, start with these values, review and adapt if necessary

screen9.png

Cron schedule:

  • Define the cron schedule for the Hybrid Tracker

  • It defaults to every 5 minutes, note that TrackMe will automatically dispatch cron schedule for optimization purposes

screen10.png

Test and review:

  • Click on the button to execute in preview the Hybrid Tracker

screen11.png

Finally, validate the Hybrid Tracker creation:

screen12.png

Once created, you can choose to run the Tracker immediately to discover and create entities in the Virtual Tenant:

screen13.png

Managing Hybrid Trackers for splk-feeds

Deleting an Hybrid Tracker through the UI

If you want to delete an existing Hybrid Tracker, this operation must be done via TrackMe.

The reason is that the application keeps track of all knowledge objects that were created for a given tenant, to honour various features such as managing the life cycle of the tenant (enabling / disabling, etc) or the life cycle of the tracker itself.

To manage Hybrid Trackers, click on:

screen1.png

The user interface shows available trackers and their related objects:

screen2.png

Select one of more trackers to be deleted:

screen3.png

The related knowledge objects will be deleted and the Virtual Tenant record cleaned up automatically.

For splk-feeds, the entities that were created through these Hybrid Trackers will not be deleted. (however, unless another Tracker is created, these will not be maintained anymore)

Deleting an Hybrid Tracker through REST

You can delete a Tracker through the following REST endpoint, example in SPL:

| trackme mode=post url="/services/trackme/v2/splk_hybrid_trackers/admin/hybrid_tracker_delete" body="{'tenant_id': 'mytenant', 'component': 'dsm', 'hybrid_trackers_list': 'test:001,test:002'}"