Digital Resilience Pays Off
Download this e-book to learn about the role of Digital Resilience across enterprises.
Integrating with Splunk: You Gotta Think Outside the Box
By
Splunk
This morning, a question was asked about integrating with Splunk that started with something like, “but I can’t send syslog from my system, so how can I get that data in Splunk?” It really doesn’t matter what system or what data; before digging in, I already knew that the answer was out there.
“But wait a second, Hal, how could you know that?”, you might be thinking.
Well, it’s just a matter of knowing a bit about how computer systems work, and understanding that Splunk has many ways of ingesting data. You see, at a very high level, there are only two ways that Splunk can integrate with another system. I’ll call these integration types “intentional”, and “operational”. Let’s define them:
- Intentional – this is when a system causes machine data to be emitted intentionally, for the purpose of exchanging that data with another system. Examples might include:
- sending a syslog event
- sending an SNMP trap
- sending an email
- triggering any action, such as invoking a script
- APIs, SDKs, scripting toolkits
- Operational – this is when machine data is created, but not necessarily emitted, simply due to the normal operations of a system. This one is key to understand, because these may be the important sources of data that you didn’t know you even had. Examples:
- log files
- databases
- message queues or busses
Nine times out of ten*, people start with syslog events and end with log files. But there is so much more out there! Let’s say that you have some piece of software which can send emails when something important happens. You like that software, it’s not going anywhere, but you really need to get that important event into Splunk. You’ve already looked at syslog and log files, and don’t know where to go next? Not a problem, we got you! Here are some ideas that might help out:
- Send those email alerts to a mailbox and have Splunk index each message as an event
- Use the Splunk App for Stream to decode the SMTP protocol as email alerts travel over the wire!
- Are the alerts in your native system recorded to a database table? Watch the table with DB Connect!
I don’t mean to bury the lead, but I wanted this post to be general in nature. For those curious, the system in question was Cisco Prime Infrastructure. I’ve never used it, but was able to determine that the above techniques had a good chance of working after skimming the admin guide.
Happy Splunking!
(* I totally made up this statistic.)
----------------------------------------------------
Thanks!
Hal Rottenberg
Related Articles
About Splunk
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.
Subscribe to our blog
Get the latest articles from Splunk straight to your inbox.
Connect with Splunk on X
Follow @Splunk
