Dell ECS Add-on is a Splunk Add-on which is collecting data from ECS REST APIs and indexes into the Splunk Enterprise. * Author - Dell Inc.
Version 1.2.0
Version 1.1.0
Splunk Enterprise:
Python:
Tested on CentOS, Windows with the latest chrome and firefox version.
Standard Splunk Enterprise configuration of Search Head, Indexer, and Forwarder.
This Add-On can be set up in two ways:
1) Standalone Mode: Install the Add-on app on a single machine. This single machine would serve as a Search Head + Indexer + Heavy forwarder for this setup.
2) Distributed Environment: Install Add-on on search head and Heavy forwarder (for REST API).
This TA can be installed through UI using following steps.
install app from file
. Choose file
and select Dell ECS Add-on installation file.Upload
.After Installation
Configuration
tab next to Inputs
tab. Add
button to add an ECS Server information.Add
.Global account parameters | Mandatory or Optional | Description |
---|---|---|
Account name | Mandatory | Provide unique name to uniquely identify ECS Server details |
Server Address | Mandatory | Provide Server Address for ECS server (IP Address) |
Username | Mandatory | Provide User name of ECS server |
Password | Mandatory | Provide Password of ECS server |
Verify SSL Certificate | Optional | To get the data from APIs using SSL, remains the checkbox enable otherwise disable it. Note that if checkbox is enable then user needs to append certificate in $SPLUNK_HOME/etc/apps/TA-dellecs/ta_dell_ecs/requests/cacert.pem file, for the safety purpose please take a backup of cacert.pem while appending SSL certificate |
Proxy Enable | Optional | To enable proxy for the account. If an account with proxy enabled is used in any input then it uses the proxy details attached to that account for the data collection |
Following proxy params will show up once Proxy Enable checkbox is checked:
Proxy Paramters | Mandatory or Optional | Description |
---|---|---|
Proxy Type | Mandatory | Select proxy type that you want to use from dropdown. The TA supports http proxy only. |
Proxy Host | Mandatory | Host or IP of the proxy server |
Proxy Port | Mandatory | Port for proxy server |
Proxy Username | Optional | Username of the proxy server. It is mandatory in case when user has entered Password |
Proxy Password | Optional | Password of the proxy server. It is mandatory in case when user has entered Username |
Logging
. Save
.Load Balancer:
On the TA side, configuration of the ECS Node IP’s is needed instead of a VIP. This is because it utilizes the API call GET /vdc/nodes to return all ECS node information and match it with the configured account. It then uses that to grab the data from the ECS influxDB using the Flux API to help minimize impact on the ECS cluster.
So, configuring a VIP does work for ECS version 3.5 and below but not for 3.6.
Increase the Timeout if required:
If we run into Timeout Error, then follow the below steps to increase timeout value in Splunk Add-on.
1.) Disable the Input
2.) Navigate to location: $SPLUNK_HOME/etc/apps/TA-dellecs/bin. Make below changes:
i.) Copy ecs_connect.py and rename it to ecs_connect.py.bak so we would have a backup.
ii.) In ecs_connect.py find for string: self.TIMEOUT=15
iii.) Change value of timeout from 15 to 60 (i.e. 60 seconds)
Note: This change would affected all three modular inputs (login and data collection)
3.) Enable Input
Dell ECS Add-on for Splunk
. From the inputs screen, click on Create New Input
. It has multiple input configuration Dell ECS Input
, Dell ECS Namespaces Input
, Dell ECS Buckets Input
.Dell ECS Input
will index all the data into the Splunk except Namespace and Bucket data.Dell ECS Namespace Input
will index Namespace data only.Dell ECS Buckets Input
will index Buckets data only.Input Parameter | Mandatory or Optional | Description |
---|---|---|
Name | Mandatory | Provide unique name to uniquely identify a ECS Server details |
Interval | Mandatory | Interval in seconds or cron schedule. The input will be triggered at every interval time and fetch the data from ECS endpoints. cron schedule e.g. for every one minute cron schedule will be /1 * * *. |
Index | Mandatory | Index in which you want to store your data. |
Global Account | Mandatory | Select previously configured ECS Server details. |
Start Time | Optional | Provide start time in GMT from which Data Collection will start. Time format is "%Y-%m-%dT%H:%M". |
To see data logged by Dell ECS Add-on for Splunk
, select the Search
tab. Search Dell_ECS_index
macro.
Libraries(Python) | Version | Repository link | License |
---|---|---|---|
croniter | 0.3.25 | https://pypi.org/project/croniter/ | https://github.com/kiorky/croniter/blob/master/docs/LICENSE |
dateutil | 2.6.1 | https://pypi.org/project/python-dateutil/ | https://github.com/dateutil/dateutil/blob/master/LICENSE |
To troubleshoot Dell ECS Add-on, check following log files * $SPLUNK_HOME/var/log/splunk/ta_dell_ecs_dell_ecs_input.log * $SPLUNK_HOME/var/log/splunk/ta_dell_ecs_dell_ecs_namespaces_input.log * $SPLUNK_HOME/var/log/splunk/ta_dell_ecs_dell_ecs_buckets_input.log file.
User can search for ERROR logs in the Splunk using following query
* index="_internal" source=**ta_dell_ecs_dell_ecs_*.log** ERROR
Please reference the guide located to below link for additional configuration details.
Link: https://infohub.delltechnologies.com/t/dell-ecs-app-for-splunk-enterprise/
Added support of Splunk 8.x
Made Add-on Python2 and Python3 compatible
Added proxy support
Added extraction for CAS logs
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.