Splunk App for Cisco UCS

The Splunk App for Cisco UCS combines the power and flexibility of Splunk with a tailored experience for Cisco UCS. Splunk for Cisco UCS gathers data from one or more Cisco UCS Managers enabling you to:
* Gain real time and historical visibility centrally across your entire UCS deployment
* Correlate UCS performance, fault and events data with user, application, hypervisor data to analyze, prevent and fix problems
* Proactively monitor your Cisco UCS environment by providing analytics such as available capacity, trending of faults over time, tracking of power & cooling costs

Release Notes

GETTING HELP

This app is authored by Splunk but is not officially supported by Splunk Support. If you have a current Splunk Enterprise Support entitlement, Splunk will provide best-effort support for cases involving this app directly, but such cases will not be subject to the Splunk Enterprise Support SLA.

ABOUT THIS APP

The Splunk App for Cisco UCS combines the power and flexibility of Splunk with a tailored experience for Cisco UCS. Splunk for Cisco UCS gathers data from one or more Cisco UCS Managers enabling you to:

  • Gain real time and historical visibility centrally across your entire UCS deployment
  • Correlate UCS performance, fault and events data with user, application, hypervisor data to analyze, prevent and fix problems
  • Proactively monitor your Cisco UCS environment by providing analytics such as available capacity, trending of faults over time, tracking of power & cooling costs

KEY FEATURES

  • Central operational view across multiple UCS domains
  • Trending of faults over time, by cause and by impacted assets
  • Trending of power consumption, cooling requirements and networking throughput over time
  • Authentication tracking
  • Ability to correlate UCS data with other data in Splunk such as virtualization or application data

SCREENSHOTS

Home Dashboard

83419

Faults Dashboard

83420

CONTENTS

This app "suite" consists of four apps. They can be installed on a single-server or distributed Splunk install. * SplunkAppForCiscoUCS - This is the main dashboard app. It should be deployed only to your search head tier in a distributed install.

And under the folder SplunkAppForCiscoUCS/appserver/addons, are the following:

  • Splunk_TA_CiscoUCS - This is the "collector" or "technology add-on" and does the work of collecting data from UCS Manager systems. It consists of a set of Python scripts which are executed by Splunk as scripted inputs. This app should be deployed to Splunk lightweight forwarders in a distributed install.
  • Splunk_TA_CiscoUCS_Syslog - This is an optional app which enables syslog inputs on your Splunk server. Deploye this app to your index tier in a distributed install.
  • Splunk_KB_CiscoUCS - This "knowledge app" contains configuration files which should be deployed to both your indexers and search heads in a distributed install. Note: this app contains indexes.conf. This will create indexes on your search head, but they are not used, because your forwarder is configured to send data only to the indexers. If the extra indicies bug you, remove indexes.conf from the app when installing to your search head.

REQUIREMENTS

The Technology Add-On "Splunk_TA_CiscoUCS" has the following requirements: Splunk version 4.3 or later. If using a forwarder, it must be a LIGHTWEIGHT forwarder. (We use the LWF because the Universal forwarder does not include Python.) For info on how to deploy a LWF, see http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Deployaforwarder The forwarder system must have network access (HTTP/HTTPS) to one or more UCS Managers which are to be Splunked. * A read-only user ID and password for collecting data from UCS Manager.

The syslog Technology Add-On "Splunk_TA_CiscoUCS_Syslog" has the following requirements: * Each UCS Manager should be configured to send syslog messages to your Splunk Indexer(s). Complete instructions can be found here: http://www.cisco.com/en/US/products/ps10281/products_configuration_example09186a0080ae0f24.shtml. Be sure to use the "info" level (very important!). The rest of the settings can be left at their defaults.

HOW TO INSTALL

See included README.md in package.

FAQ:

Q: Why use these tables? Wouldn't key/value pairs be easier to work with? A: An event containing key/value pairs (e.g. 2013-05-23T13:47:23.936347 ucs=bd-ucs-nx1 dn=sys/chassis-1/blade-7/fault-F0317 ...) is easy to work with. However, the field names are repeated with every event. Tables are used here to "pack" events into less space and avoid repeating these headers for every event. This can reduce Splunk indexing volume drastically for certain types of data that are collected frequently.

KNOWN ISSUES

  • Home dashboard: paginator shows incorrect number of pages (related to [SPL-36073], fixed in v5)
  • The password is saved in cleartext in credentials.csv. Not ideal obviously, we plan to fix this. Secure the file read permissions as a workaround.
2 ratings