Digital Resilience Pays Off
How resilient is your organization? Learn how to mature your digital resilience with this free guide.
Integrating with Splunk: You Gotta Think Outside the Box
By
Splunk
This morning, a question was asked about integrating with Splunk that started with something like, “but I can’t send syslog from my system, so how can I get that data in Splunk?” It really doesn’t matter what system or what data; before digging in, I already knew that the answer was out there.
“But wait a second, Hal, how could you know that?”, you might be thinking.
Well, it’s just a matter of knowing a bit about how computer systems work, and understanding that Splunk has many ways of ingesting data. You see, at a very high level, there are only two ways that Splunk can integrate with another system. I’ll call these integration types “intentional”, and “operational”. Let’s define them:
- Intentional – this is when a system causes machine data to be emitted intentionally, for the purpose of exchanging that data with another system. Examples might include:
- sending a syslog event
- sending an SNMP trap
- sending an email
- triggering any action, such as invoking a script
- APIs, SDKs, scripting toolkits
- Operational – this is when machine data is created, but not necessarily emitted, simply due to the normal operations of a system. This one is key to understand, because these may be the important sources of data that you didn’t know you even had. Examples:
- log files
- databases
- message queues or busses
Nine times out of ten*, people start with syslog events and end with log files. But there is so much more out there! Let’s say that you have some piece of software which can send emails when something important happens. You like that software, it’s not going anywhere, but you really need to get that important event into Splunk. You’ve already looked at syslog and log files, and don’t know where to go next? Not a problem, we got you! Here are some ideas that might help out:
- Send those email alerts to a mailbox and have Splunk index each message as an event
- Use the Splunk App for Stream to decode the SMTP protocol as email alerts travel over the wire!
- Are the alerts in your native system recorded to a database table? Watch the table with DB Connect!
I don’t mean to bury the lead, but I wanted this post to be general in nature. For those curious, the system in question was Cisco Prime Infrastructure. I’ve never used it, but was able to determine that the above techniques had a good chance of working after skimming the admin guide.
Happy Splunking!
(* I totally made up this statistic.)
----------------------------------------------------
Thanks!
Hal Rottenberg
Related Articles
About Splunk
The world’s leading organizations rely on Splunk, a Cisco company, to continuously strengthen digital resilience with our unified security and observability platform, powered by industry-leading AI.
Our customers trust Splunk’s award-winning security and observability solutions to secure and improve the reliability of their complex digital environments, at any scale.
Subscribe to our blog
Get the latest articles from Splunk straight to your inbox.
Connect with Splunk on X
Follow @Splunk
