splk-feeds - Creating and Managing Hybrid Trackers ################################################## Introduction to Hybrid Trackers =============================== **Hybrid Trackers are created and managed through TrackMe. These are scheduled backend jobs that orchestrate entity discovery and management for TrackMe splk-feeds components:** - Hybrid Trackers are scheduled reports that involve various TrackMe backend tools depending on the TrackMe component - A single Hybrid Tracker can discover and manage a few or many entities according to the needs - Hybrid Trackers integrate into a main application workflow, which involves concepts such as registering their execution statuses and run time performance - Hybrid Trackers can be created at any time through guided user interfaces or TrackMe REST endpoints - In the context of Splunk feeds tracking, Hybrid Trackers can also be created during the initial creation of the Virtual Tenant - When creating trackers, the related knowledge objects will be owned by the owner defined at the Virtual Tenant level - TrackMe keeps records of the knowledge objects related to the Hybrid Trackers; therefore, you need to manage their lifecycle through TrackMe .. image:: img_v2/hybrid_trackers/overview.png :alt: overview.png :align: center :width: 1200px :class: with-border Creating an Hybrid Tracker for splk-feeds ========================================= *These instructions are related to the splk-dsm component. Options for splk-dhm/splk-mhm may differ, but the underlying logic is similar.* **To create a new Hybrid Tracker, access the tenant and click on "Manage: Hybrid Trackers":** .. image:: img_v2/hybrid_trackers/splk_dsm/screen1.png :alt: screen1.png :align: center :width: 1200px :class: with-border .. image:: img_v2/hybrid_trackers/splk_dsm/screen2.png :alt: screen2.png :align: center :width: 1200px :class: with-border **splk-dsm Hybrid Tracker creation wizard:** .. image:: img_v2/hybrid_trackers/splk_dsm/screen3.png :alt: screen3.png :align: center :width: 1200px :class: with-border **Once in the creation wizard, follow the guided steps:** *Hybrid Tracker identifier:* - Provide a name for the Hybrid Tracker. This will be included in the name of the Splunk Knowledge Objects related to this tracker - In the example below, we will name our tracker "endpoints_os_data" as it deals with events originating from Operating Systems .. image:: img_v2/hybrid_trackers/splk_dsm/screen4.png :alt: screen4.png :align: center :width: 1200px :class: with-border *Target Splunk deployment:* - Specify whether the data is searchable locally on the Splunk deployment or if the trackers deal with a remote Splunk deployment - If a remote Splunk deployment is selected, TrackMe performs a connectivity check to that environment first .. image:: img_v2/hybrid_trackers/splk_dsm/screen5.png :alt: screen5.png :align: center :width: 1200px :class: with-border *Search mode and search root constraint:* *tstats versus raw* - Then, define the search mode. You can choose between tstats and raw - tstats is generally recommended as it provides much faster and more efficient searches relying on Splunk tsidx files - However, tstats requires all fields to be indexed fields, while a raw search can deal with search-time extracted fields - Therefore, raw search provides much more flexibility, but the cost is also much higher - Depending on your context, raw searches may be fully valid, but if a tstats search can be used equally, use tstats *root search constraint:* - Define the Splunk root search constraint. The constraint comes pre-filled with normally expected constraints which require valid data, exclude TrackMe related items, etc. - Add your own search filters according to your needs. In our example, we add an index filter "(index=linux* OR index=win*)" .. image:: img_v2/hybrid_trackers/splk_dsm/screen6.png :alt: screen6.png :align: center :width: 1200px :class: with-border *break by logic:* - You can optionally add an additional break by logic field - This defaults to "none," which means entities are going to match the combo ``index + ":" + sourcetype`` - For instance, if we have an indexed field ``region``, we can leverage it here to distinguish entities per region. Our entity creation logic becomes ``index + ":" + sourcetype + ":" + region`` .. image:: img_v2/hybrid_trackers/splk_dsm/screen7.png :alt: screen7.png :align: center :width: 1200px :class: with-border .. image:: img_v2/hybrid_trackers/splk_dsm/screen8.png :alt: screen8.png :align: center :width: 1200px :class: with-border *Time quantifiers:* - Review and update if necessary the indexed time earliest and latest, as well as time range earliest and latest - These time quantifiers drive the period of data that the tracker is going to cover - Generally, you will want to have a large event time range period to cover data with high latency, while the period for indexed time range can be more restricted for performance optimization purposes - What will work best and be the most efficient depends a lot on your context and environment. Start with these values, review and adapt if necessary .. image:: img_v2/hybrid_trackers/splk_dsm/screen9.png :alt: screen9.png :align: center :width: 1200px :class: with-border *Cron schedule:* - Define the cron schedule for the Hybrid Tracker - It defaults to every 5 minutes. Note that TrackMe will automatically dispatch cron schedules for optimization purposes .. image:: img_v2/hybrid_trackers/splk_dsm/screen10.png :alt: screen10.png :align: center :width: 1200px :class: with-border *Test and review:* - Click on the button to execute the Hybrid Tracker in preview .. image:: img_v2/hybrid_trackers/splk_dsm/screen11.png :alt: screen11.png :align: center :width: 1200px :class: with-border *Finally, validate the Hybrid Tracker creation:* .. image:: img_v2/hybrid_trackers/splk_dsm/screen12.png :alt: screen12.png :align: center :width: 1200px :class: with-border *Once created, you can choose to run the Tracker immediately to discover and create entities in the Virtual Tenant:* .. image:: img_v2/hybrid_trackers/splk_dsm/screen13.png :alt: screen13.png :align: center :width: 1200px :class: with-border Managing Hybrid Trackers for splk-feeds ======================================= Deleting an Hybrid Tracker through the UI ----------------------------------------- If you want to delete an existing Hybrid Tracker, this operation must be done via TrackMe. The reason is that the application keeps track of all knowledge objects that were created for a given tenant to honor various features such as managing the lifecycle of the tenant (enabling/disabling, etc.) or the lifecycle of the tracker itself. **To manage Hybrid Trackers, click on:** .. image:: img_v2/hybrid_trackers/manage/screen1.png :alt: screen1.png :align: center :width: 1200px :class: with-border **The user interface shows available trackers and their related objects:** .. image:: img_v2/hybrid_trackers/manage/screen2.png :alt: screen2.png :align: center :width: 1200px :class: with-border **Select one or more trackers to be deleted:** .. image:: img_v2/hybrid_trackers/manage/screen3.png :alt: screen3.png :align: center :width: 1200px :class: with-border The related knowledge objects will be deleted, and the Virtual Tenant record will be cleaned up automatically. For splk-feeds, the entities that were created through these Hybrid Trackers will **not** be deleted. (However, unless another Tracker is created, these will not be maintained anymore) Deleting an Hybrid Tracker through REST --------------------------------------- **You can delete a Tracker through the following REST endpoint, example in SPL:** :: | trackme mode=post url="/services/trackme/v2/splk_hybrid_trackers/admin/hybrid_tracker_delete" body="{'tenant_id': 'mytenant', 'component': 'dsm', 'hybrid_trackers_list': 'test:001,test:002'}"