A compilation of dashboards to visualize data coming for Splunk and Oracle Cloud Infrastructure (OCI) log streaming service. Dashboards include VCN flow logs, audit logs, Cloud Guard logs, object storage access logs, function logs, load balancer access logs and load balancer error logs creating a comprehensive integration of your OCI Infrastructure using Splunk Enterprise or Splunk Cloud.
Download the latest Addon from Splunkbase:
-For Splunk Cloud users with the Heavy Forwarder installed in Oracle Cloud: https://splunkbase.splunk.com/app/7021
-For on-prem: https://splunkbase.splunk.com/app/5222
While this app is not formally supported, the developer can be reached at vrichards@splunk.com OR in splunk-usergroups slack, @VivianRichards. Responses are made on a best effort basis. Feedback is always welcome and appreciated!
Special acknowledgement to Ahmed Kira, the original developer of this application!
SETUP INSTRUCTIONS
- Ensure your OCI configuration file is complete and the necessary keys have been generated
Ensure the OCI Logging Addon for Splunk is installed on heavy forwarder, connected, and receiving logs from OCI. Download the latest OCI TA/plugin here: https://github.com/oracle-quickstart/oci-arch-logging-splunk
- Create 2 new indexes on indexers.
First index is where your OCI logs will reside.
Second index MUST BE named oci_vcn_summary. This is a summary index for VCN Flow Logs.
All VCN dashboards rely on this summary index.
Use below sample to deploy on cluster master and do cluster bundle push:
[oci_vcn_summary]
homePath = $SPLUNK_DB/oci_vcn_summary/db
coldPath = $SPLUNK_DB/oci_vcn_summary/colddb
thawedPath = $SPLUNK_DB/oci_vcn_summary/thaweddb
coldToFrozenDir = $SPLUNK_DB/oci_vcn_summary/frozendb
##### 30 days
frozenTimePeriodInSecs = 2592000
maxHotIdleSecs = 3600
repFactor = auto
- Deploy OCI app on Search Head or deployer and push out to SHC
- Deploy OCI log streaming add-on on a Splunk 8.0+ Heavy Forwarder, since it relies on Python 3.x
- Add inputs through the add-on user interface (on heavy forwarder)
- On search head with this app deployed, edit macros,
Update the 'oci_index` macro with the 1st index created above
- Once OCI log streaming data is flowing to your Splunk instance, run the save searched ending with 'RUN ONCE' to initially populate necessary lookups
- Watch dashboards get populated
NOTES ON MACROS PROVIDED IN THIS APP:
oci_index : update with index where your OCI logs are sent
oci_trim : this macro renames multiple nested json trees and creates new fields that all dashboards rely on. Use within your search as such:
VALID SEARCHES:
VALID:
`oci_index` sourcetype=com.oraclecloud.object* `oci_trim`
VALID:
`oci_index` `oci_trim` | search type=object*
VALID:
`oci_index` `oci_trim`
INVALID SEARCH:
INVALID:
`oci_index` `oci_trim` sourcetype=com.oraclecloud.object*
Notes on saved searches provided in this app:
This app contained 3 backfill searches. USE THESE SEARCHES WITH CAUTION!!!
1. Only backfill times you know are missing
2. Consider wiping out the entire oci_vcn_summary index and backfill with earliest=1 to be safe and so you don't have duplicate data
