Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Enterprise Security: How to automate the population of assets.csv with DB Connect?

oagtexas
Explorer
‎03-31-2016 08:56 AM

We are running Enterprise Security and I'm trying to schedule and automate the population of assets.csv that ES uses as an Identity Management lookup file. I figured I could use DB Connect to connect to our SQL-based CMDB and pull the required information. This connection works fine and I'm able to access a stored report in the CMDB to use to create the exact format of the assets.csv file.

I see 3 options to save anything in DB Connect:

DB Inputs
DB Outputs
DB Lookups

I don't see any of these options doing what I want to do above which is just call the query and output it as a lookup csv file. I'm thinking there's a sloppy workaround to be found here but I was wondering how others are automating their asset inventory in ES?

0 Karma
Reply

maciep
Champion
‎03-31-2016 02:53 PM

We connect to our CMDB to get our assets and identities as well. We have a scheduled search that run the dbquery, massage the data as needed, format the data as needed and then at the very end of the search we pipe to the outputlookup command to create the csv itself.

For the lookups themselves, we have them configured in a custom SA of ours. And then we configure ES to include those lookups for its asset/identities lists.

Also, our ES env is clustered and we haven't got around to feeling comfortable with dbconnect in that ES cluster. So we actually run the above search on our heavy forwarder and rsync the custom app with our lookups over to the ES boxes a couple times a day.

Not sure if that's the best approach, but that's how we're doing it. Oh and we're still on ES 3.3.2

0 Karma
Reply

rishrai
New Member
‎07-20-2016 02:00 PM

I am looking to continuously update the asset list from CMDB. DB connect is installed in the heavy forwarder. i got the part of running dbquery in dbconnect to generate the lookup file. now how do i get the lookup file to the ES search head and place it in the SAidentity management? I am not familiar with rsync. Can you please explain more?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...