LogoLogo
LearnDocumentationSupportCommunity
Version 6.30
Version 6.30
  • Welcome
  • Nexthink V6
  • Overview
    • Software components
    • Collector
    • Finder
    • Engine
    • Portal
    • Nexthink Library
    • Digital Experience Score
  • Installation and configuration
    • Planning your installation
      • Overview of the installation process
      • Hardware requirements
      • Connectivity requirements
      • Software requirements
      • Reference architectures
    • Installing Portal and Engine Appliances
      • Installing the Appliance
      • Installing the Appliance on Azure
      • Installing the Appliance on AWS
      • Installing the Appliance on OTC
      • Managing Appliance accounts
      • Setting the names of the Portal
      • Setting the names of the Engines
      • Specifying your internal networks and domains
      • Federating your Appliances
      • STIG compliance in Web Console
      • Connecting the Portal to the Engines
      • Configuring session performance storage
      • Configuring device performance storage
      • Setting up a software license
      • Sending email notifications from the Appliance
      • Allocating resources for the Portal
    • Installing the Collector
      • Installing the Collector on Windows
      • Installing the Collector on macOS
      • Installing the Collector for a Proof of Value
      • Assigning Collectors to Engines
      • Assignment of roaming Collectors
      • Collector MSI parameters reference table
      • Nxtcfg - Collector configuration tool
      • Inspecting the connection status of the Collector
      • Querying the status of the TCP connection of the Collector
      • Reporting the URL of HTTP web requests
      • Auditing logon events
      • Viewing user interactions in virtualized and embedded environments
      • Engage notifications on macOS
      • Configuring Collector level anonymization
    • Collector remote connectivity
      • Redirecting and anonymizing Collector traffic
      • Redirecting the Collector TCP channel
      • Support for DirectAccess
      • Windows Collector proxy support
      • Mac Collector proxy support
    • Installing the Event Connector
      • Installing the Event Connector on Linux
    • Installing the Finder
      • Installing the Finder on Windows
      • Enabling Cross-Engine Finder features
      • Expanding the time frame of investigations in the Finder
      • Enabling Finder access to the Library
      • Finder proxy support
    • Updating from V6.x
      • Updating the Appliance
      • Content centralization when updating the Appliance
      • Updating the Collector
      • Viewing Collector deprecated fields
      • Updating the Finder
    • Security and user account management
      • Importing and replacing certificates
      • Hierarchizing your infrastructure
      • Adding users
      • Enabling SAML authentication of users
      • Just-In-Time provisioning of user accounts
      • Enabling Windows authentication of users
      • Multi-factor authentication for local accounts overview
      • Provisioning user accounts from Active Directory
      • Establishing a privacy policy
      • Disabling local accounts for interactive users
      • Setting the complexity and minimum length of passwords for local accounts
      • Protecting local accounts against brute force attacks
      • Preventing password saving in the Finder
      • Controlling session timeouts in the Portal
      • Security settings in the Appliance
      • Setting the Do Not Disturb periods between campaigns
    • Data retrieval and storage
      • Data retention
      • Increasing the maximum number of metrics
      • Establishing a data retention policy in the Engine
      • Storing Engine data in a secondary disk drive
      • Importing data from Microsoft Active Directory
      • Setting the locale in the Portal
      • Changing the Time Zone of the Portal
      • Time Zones and data collection
      • Changing the data collection time of the Portal
      • Nightly task schedules timetable
      • Changing the thresholds of High CPU warnings
      • Automatic restart of unresponsive Engine
    • Maintenance operations
      • Logging in to the CLI
      • Special operation modes for the Engine and the Portal
      • Changing the default ports in the Appliance
      • Centralized Management of Appliances and Engines
      • Monitoring the performance of the Appliance
      • Resizing partitions in Appliance
      • Configuring the system log
      • Examining the logs in the Portal
      • GDPR - Retrieving or anonymizing personal data
      • Finding out unlicensed devices
      • Removing devices
      • Installing third-party software in the Appliance
      • Installing VMware Tools in the Appliance
      • Operational data sent to Nexthink
      • Sending additional data to Support
    • Disaster recovery
      • Planning for disaster recovery
      • Web Console backup and restore
      • Engine backup and restore
      • Portal backup and restore
      • Rule-based assignment backup and restore
      • License backup and restore
      • PKI backup and restore
    • Branding
      • Branding the Portal
      • Branding of campaigns
  • User manual
    • Getting started
      • Logging in to the Finder
      • Logging in to the Portal
      • Enabling STIG in Webconsole
    • Querying the system
      • Searching the subject of interest
      • Executing an investigation
      • Creating an investigation
      • Editing the options of an investigation
      • Combining logical conditions in investigations
      • Navigating through the results of an investigation
      • Properties of users and devices
    • Visualizing system activity in the Finder
      • Getting a quick overview
      • Graphically observing the activity of users and devices
      • Observing service performance
      • Viewing network connections
      • Viewing web requests
      • Viewing executions
    • Monitoring IT custom metrics
      • Creating a metric
      • Examples of metrics
      • Session performance
      • Device performance
      • Following the evolution of a metric
      • Finding the visuals of a metric
    • Monitoring IT services
      • Analyzing service quality
      • Creating a service
      • Following the evolution of a service
      • Specifying URL paths of web-based services
    • Engaging with the end user
      • Getting feedback from the end users
      • Types of campaigns
      • Creating a campaign
      • Editing a campaign
      • Types of questions
      • Controlling the flow of questions
      • Translating a campaign
      • Triggering a campaign manually
      • Limiting the reception rate of campaigns
      • Scrutinizing the results of a campaign
      • Continuously measuring the satisfaction of employees
    • Rating devices and users with scores
      • Computing scores
      • Creating a score
      • Checking and comparing ratings
      • Computing potential savings
      • Score XML Reference
      • Documenting scores
    • Remotely acting on devices
      • Scenarios for remote actions
      • Creating a remote action
      • Executing remote actions
      • Triggering a remote action manually
      • Writing scripts for remote actions on Windows
      • Writing scripts for remote actions on Mac
      • Example of self-healing scenario
      • Example of self-help scenario
      • Application control and remote actions
    • Organizing objects with categories
      • Classifying objects of the same type
      • Creating categories and keywords
      • Tagging objects manually
      • Tagging objects automatically
      • Importing tags from text files
    • Getting notified by the system
      • Receiving Engage campaigns
      • Receiving email digests
      • Receiving alerts
      • Creating a service-based alert
      • Creating an investigation-based alert
    • Building web-based dashboards
      • Introducing dashboards in the Portal
      • Creating a dashboard
      • Examining metrics in depth
      • Documenting dashboards
      • Assessing license use
      • Computing dashboard data
      • Reusing dashboard content
    • Importing and exporting authored content
      • Methods for reusing authored content
      • Manually sharing Finder content
      • Importing a content pack
      • Conflict resolution
      • Exporting a content pack
  • Library packs
    • Compliance
      • Device Compliance
    • Configuration Manuals
      • Overview (Configuration Manuals)
      • Installing A New Version Of A Library Pack
    • Digital Employee Score (DEX score)
      • DEX Score Installation And Configuration
      • Detailed Library Pack Changelog
    • Device management
      • Reduce logon duration
      • Group Policy Management
      • Hardware Asset Renewal
      • Hardware Asset Renewal Advanced
      • Application Auto-Start Impact
    • Remote Employee Experience
      • Remote Worker Experience
      • Home Networking
      • Change Log And Upgrade Process
      • Remote Worker Vs Office Worker Device Category
      • Remote Worker Insights
      • DEX V2 Upgrade Of Remote Worker
    • Persona Insight
      • Persona Insight - Overview
      • Persona Insight - Library Pack
      • Persona Insight - Score Only Pack
      • Persona Insight - Without Campaign pack
      • Persona Insight - Getting Started and Upgrade Procedure
      • Persona Insight - Configuration Guide
      • Persona Insight - Troubleshooting - Multiple devices on multiple engines
      • Persona Insight - Reference Guide
      • Persona Insight - Example Pack
      • Persona Insight - Device Sizing
        • Persona Insight - Device Sizing Overview
        • Persona Insight - Device Sizing Configuration
      • Persona Insight - Application Sizing
        • Persona Insight - Application Sizing Overview
        • Persona Insight - Application Sizing Configuration
      • Legacy Persona documentation
        • Persona Insight - Library Pack (V.1.0.0.0)
        • Persona Insight - Base Pack
        • Persona Insight - Base Pack Advanced
        • Persona Insight - Customization Guide (V1.0.0.0)
        • Persona Insight - Configuration Guide (V1.0.0.0)
        • Persona Insight - Reference Guide (V1.0.0.0)
    • GSuite
      • GSuite: Health
      • GSuite: Services
      • GSuite: Sentiment
      • GSuite: Advanced Health
    • Support
      • Support: Level 1
    • Shadow IT
      • Shadow IT
    • Malware Protection
      • Malware Protection
    • Office 365 Health
      • Office 365 Health: Overview
      • Office 365 Health: Services
    • Office 365 OneDrive
      • OneDrive Summary
      • OneDrive Operations
      • OneDrive Advanced Health
      • OneDrive Migration
      • OneDrive Sentiment
      • OneDrive Management
      • OneDrive Advanced Operations
    • Office 365 Teams
      • Teams Overall Configuration
      • Teams - Migration
      • Teams - Health
      • Teams - Advanced Health
      • Teams - Adoption
    • Microsoft 365 Apps
      • Microsoft 365 Apps - Operate
    • Employee Self Service
      • Overview
      • Configuration
      • Usage
    • Onboarding Experience Management
      • OEM - Overview
      • OEM - Configuration
    • Office 365 Outlook
      • Outlook Troubleshooting
    • Virtualization
      • Virtualization: Operate
      • Virtualization: AVD - Advanced
      • Virtualization: Citrix Advanced
      • Virtualization: Project
      • Virtualization: Troubleshooting
        • Virtualization: Troubleshooting: Configuration
    • Windows
      • Win10: Configuration
      • Win10: Migration
      • Win10: Feature Update
      • Win10: Quality Update
      • Windows Defender Management
      • Administrators Management
    • Windows 11
      • Windows 11 - Readiness
      • Windows 11 - Migration Pilot
      • Windows 11 - Migration
      • Windows 11 - Operate
    • Webex
      • Webex Operate
    • Zoom
      • Zoom Operate
    • Remote Actions
      • Get Performance Monitor Data
      • Skype For Business
      • Restart Device
      • Upload Logs to S3 using PreSigned URLs
    • Software Asset Optimization
    • Collaboration Optimization
      • Collaboration Optimization - Solution Overview
      • Collaboration Optimization - Configuration
      • Collaboration Optimization - Usage / Troubleshooting
    • Systems Management
      • Manage Configuration Drift
      • MS ConfigMgr - Client Health
        • MS ConfigMgr - Client Health - Summary
        • MS ConfigMgr - Client Health - Configuration Guide
      • Intune
        • Intune - Health
          • Intune - Health - Summary
          • Intune - Health - Configuration Guide
    • Return to the office
      • Return to the office - Planning
      • Return to the office - Readiness
    • Green IT
      • Green IT - Overview
      • Green IT - Configuration Guide
    • Hybrid Working
      • Hybrid Working Experience
      • Hybrid Working Experience - Installation and upgrade procedure
  • Integrations
    • Nexthink ServiceNow Service Graph Connector
      • Overview
        • Roles and Permissions
        • Modules
      • Installation and Configuration Guide
        • Pre-requisites
          • Configure Identification Rules
          • Import and setup the CMDB categories in Finder
        • Setup
          • Configure the connection
          • Configure import properties
          • Configure additional engines
          • Set up scheduled import jobs
      • Data transformation and mapping by default
      • How to customize the behaviour of the Connector
      • FAQ
        • Why ServiceNow Service Graph Connector?
        • What about Nexthink CMDB Connector?
        • Why is the name the primary key for the devices?
      • Troubleshooting
        • IRE identification issues
          • [No Choice found in the sys_choice table for the target table](integrations/nexthink-servicenow-service-graph-connector/troubleshooting/ire-identification-issues/ no-choice-found-in-the-sys_choice-table-for-the-target-table.md)
          • Identification rules not created
          • Discovery_source choice not created
        • Timeout Errors
          • ECCResponseTimeoutException
          • HTTP 0 error
        • MID server issues
          • java.lang.NullPointerException
          • MID Server memory issues
          • Not trusted certificates in Quebec release
        • Configure credentials issues
          • [Not allowing update of property authentication_choice](integrations/nexthink-servicenow-service-graph-connector/troubleshooting/configure-credentials-issues/ not-allowing-update-of-property-authentication_choice.md)
          • Invalid username/password combo (HTTP 401/403)
        • Configure Engines Issues
          • [The client secret supplied for a confidential client is invalid](integrations/nexthink-servicenow-service-graph-connector/troubleshooting/configure-engines-issues/ the-client-secret-supplied-for-a-confidential-client-is-invalid.md)
        • No Cis imported and no errors found in the log
    • Nexthink ServiceNow Incident Management Connector (IMC)
      • Installation and configuration guide (IMC)
      • Troubleshooting Guide (IMC)
      • Domain separation installation (IMC)
    • Nexthink ServiceNow CMDB Connectors
      • Installation and Configuration Guide
      • Troubleshooting Guide
      • Field transformation and normalisation examples
    • Nexthink Event Connector
      • High level overview
      • Installation and Configuration Guide
      • Troubleshooting guide
      • RPM installation
      • Splunk specific documentation
        • Upgrading from Splunk Connector to Event Connector
        • Splunk add-on installation and usage
    • Nexthink Chatbot SDK
      • Introduction and concepts
      • Installation, configuration and update guide
        • Installation and configuration
        • Update to newer version
        • Uninstallation
        • Authentication
        • Topics configuration
        • Remote action configuration
        • Advanced configuration
        • Additional resources and references
      • Dimensioning guide
      • Troubleshooting
      • Technical solution description
      • Downloads and release notes
  • Glossary and references
    • Search and information display
      • Search in Finder
      • Keyboard shortcuts for column display selection
      • Campaign display compatibility
      • Real-time and consolidated service data
      • Service errors and warnings
      • Errors and warnings for devices and executions
      • Types of widgets
      • Widget compute state in charts
      • Errors in the execution of remote actions
      • Top results of Cross-Engine investigations
      • Engine data history
    • Tooltips in the user and device views
      • Alerts tooltips
      • Warnings tooltips
      • Errors tooltips
      • Activity tooltips
      • Services tooltips
    • Database information and organization
      • Maximum supported values
      • Local and shared content
      • Device Identification
      • Local IP address of devices
      • Timestamping of events
      • Boot and logon duration
      • Application startup duration
      • Application not responding events
      • Memory and CPU usage
      • Status of TCP connections
      • Status of UDP connections
      • Network and port scan conditions
      • Binary paths
      • Maximum number of Binaries
      • Package Executable Mapping
      • Metro apps
      • Investigation with packages
      • Portal aggregation and grouping
      • Focus time metric
    • Security
      • Access rights and permissions
      • Active Directory authentication
      • Canonical domain names for Windows authentication
      • System alerts
      • Audit trail
      • Appliance hardening
      • STIG hardening
      • FIPS 140-2 compliance
      • Security bulletins
        • Is Nexthink affected by Okta breach
        • Is Nexthink affected by SolarWinds breach
        • Nexthink and Log4j - Security bulletin
        • CVE-2022-22965 - Security Vulnerability Spring4shell - Spring Framework
        • Version 6.22.2.10: Security Vulnerability Maintenance Release
        • The Collector V6.27.X Release – Security Bulletin
    • References
      • Components of the Collector
      • Server support
      • Compatibility mode
    • Glossary
      • Activity
      • Alert
      • Application
      • Binary
      • Campaign
      • Category
      • Connection
      • Dashboard
      • Destination
      • Device
      • Domain
      • Entity
      • Event
      • Executable
      • Execution
      • Focus time
      • Hierarchy
      • Installation
      • Investigation
      • Keyword
      • Metric
      • Module
      • Object
      • Package
      • Platform
      • Port
      • Printer
      • Score
      • Service
      • Session
      • System boot
      • User
      • User logon
      • Web request
      • Widget
  • API and integrations
    • Integrating with Nexthink
      • Event Connector
      • Getting data through the NXQL API
      • Bidirectional integration with the Finder
      • Count metrics API
      • Software metering API
      • Services API
      • List Engines API
      • GetSID API
      • Triggering campaigns via their API
      • Triggering remote actions via their API
      • Audit trail API
      • Integrating investigation-based alerts
      • Downloads
    • NXQL API
      • Introducing the NXQL API
      • NXQL Tutorial
      • NXQL language definition
      • NXQL Data Model
    • Integrations
      • Excel integration with NXQL
      • Power BI
      • Azure Data Lake Storage Gen2
      • Splunk Event Connector
    • ServiceNow
      • CMDB Connector
      • Incident Management Connector
      • Event Management

© Nexthink

  • Privacy policy
  • Responsible Disclosure Policy
On this page
  • Introduction
  • Overview
  • Requirements
  • Installation
  • Option 1: from store
  • Option 2: file install
  • Event types
  • Data models
  • NXT Connection
  • NXT Device Activity
  • NXT Device Error
  • NXT Device Warning
  • NXT Execution
  • NXT Execution Error
  • NXT Execution Warning
  • NXT Installation
  • NXT Network Scan
  • NXT Port Scan
  • NXT Printout
  • NXT User Activity
  • NXT Web Request
  • Use Cases
  • Traffic Aggregation dashboard in Splunk
  • CSC 0 dashboard in Splunk
  • CSC 1 dashboard in Splunk
  • Support

Was this helpful?

  1. Integrations
  2. Nexthink Event Connector
  3. Splunk specific documentation

Splunk add-on installation and usage

Last updated 9 months ago

Was this helpful?

Introduction

This document provides comprehensive information on the definition and installation of event types and data models into a Splunk instance. The Nexthink Splunk Add-on for the Nexthink Event Coordinator allows users to perfectly map and make the most out of the Nexthink data injected into a Splunk instance.

The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us via .

This document is intended for readers with a detailed understanding of Nexthink technology and Splunk technology, as well as some understanding of concepts such as databases and data models.

The installation instructions provided here should be executed by a Splunk certified professional.

This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited.

Overview

The Nexthink Splunk Add-on allows a Splunk Enterprise administrator to use the proper event types and data models to map the data provided by the Nexthink Event Connector.

Nexthink Splunk Add-on includes the following new features:

  • 3 new eventtypes for those events in Nexthink that correspond to CIM models.

  • 13 new data models matching the different types of events provided by Nexthink.

Requirements

Pre-requisites for the Nexthink Splunk add-on installation:

  • Splunk Enterprise 6.5 or later

  • CIM 4.8 or later installed on the Splunk instance, in order to be able to use the included in the add-on eventtypes.

Installation

Option 1: from store

  • Click on App: Search & Reporting > Find More Apps in the main menu of the Splunk instance.\

    \

  • Type “Nexthink Add-on for Splunk” in the top search box.

  • Click Install for the installation.

Option 2: file install

You can download and install the add-on file to the Splunk instance by following these steps:

If it is necessary to get the add-on file to be uploaded to the Splunk instance:

  • Log in to Splunk through My Account > LOGIN

  • Search for Nexthink Splunk Add-on using the top search bar.

  • Click on Download. This will download a file with the add-on packed in.

To upload the add-on file:

  • Log in to the Splunk instance where you have to install the add-on.

  • Go to Apps > Manage Apps. From the home page of the Splunk instance:\

    \

  • Click on Install app from file.

  • Choose the add-on file and click on Upload

Event types

Name
Search String
Tag(s)

nxt_connection

sourcetype=_json source=Nexthink (event_type=established_connections OR event_type=failed_connections)

communicate network

nxt_execution

sourcetype=_json source=Nexthink (event_type=execution)

cpu performance

nxt_web_request

sourcetype=_json source=Nexthink (event_type=established_web_requests OR event_type=failed_web_requests)

web

Data models

NXT Connection

Applying Nexthink Event to connection

Data Set
Constraints

Connection

source=Nexthink (event_type=failed_connections OR event_type=established_connections)

Failed Connections

event_type=failed_connections

Established Connections

event_type=established_connections

Nexthink Field
Add-on Field
Splunk Datatype
CIM Compliant (data set -> data model)

cardinality

cardinality

Number

destination_ip_address

dest_ip

String

All_Traffic ->

Network_Traffic

device_ip_address

src_ip

String

All_Traffic ->

Network_Traffic

duration

duration

Number

All_Traffic ->

Network_Traffic

id

id

Number

incoming_bitrate

incoming_bitrate

Number

incoming_traffic

bytes_in

Number

All_Traffic ->

Network_Traffic

network_interface_iana_codestring

network_interface_iana_codestring

String

network_interface_index

network_interface_index

Number

network_interface_type

network_interface_type

String

network_response_time

response_time

Number

All_Traffic ->

Network_Traffic

outgoing_bitrate

outgoing_bitrate

Number

outgoing_traffic

bytes_out

Number

All_Traffic ->

Network_Traffic

status

status

String

type

transport

String

All_Traffic ->

Network_Traffic

NXT Device Activity

Applying Nexthink Event to device_activity

Data Set
Constraints

Device Activity

source=Nexthink (event_type=device_boot)

Device Boot

event_type=device_boot

Nexthink Field
Add-on Field
Splunk Datatype
CIM Compliant (data set -> data model)

duration

duration

Number

id

id

Number

type

type

String

NXT Device Error

Applying Nexthink Event to device_error

Data Set
Constraints

Device Error

source=Nexthink (event_type=system_crash OR event_type=smart_disk

OR event_type=hard_reset)

System Crash

event_type=system_crash

SMART Disk Failure

event_type=smart_disk

Hard Reset

event_type=hard_reset

Nexthink Field
Add-on Field
Splunk Datatype
CIM Compliant (data set -> data model)

error_code

error_code

Number

error_label

error_label

String

id

id

Number

type

type

String

NXT Device Warning

Applying Nexthink Event to device_warning

Data Set
Constraints

Device Error

source=Nexthink (event_type=high_io_usage OR event_type=high_memory_usage OR event_type=high_cpu_usage OR event_type=high_number_of_page_faults)

High IO Usage

event_type=high_io_usage

High Memory Usage

event_type=high_memory_usage

High CPU Usage

event_type=high_cpu_usage

High Number of Page Faults

event_type=high_number_of_page_faults

Nexthink Field
Add-on Field
Splunk Datatype
CIM Compliant (data set -> data model)

duration

duration

Number

id

id

Number

info

info

String

type

type

String

value

value

Number

warning_duration

warning_duration

Number

NXT Execution

Applying Nexthink Event to execution

Data Set
Constraints

Execution

source=Nexthink (event_type=execution)

Nexthink Field
Add-on Field
Splunk Datatype
CIM Compliant (data set → data model)

average_memory_usage

average_memory_usage

Number

binary_path

binary_path

String

id

id

Number

incoming_tcp_traffic

incoming_tcp_traffic

Number

incoming_udp_traffic

incoming_udp_traffic

Number

outgoing_tcp_traffic

outgoing_tcp_traffic

Number

outgoing_udp_traffic

outgoing_udp_traffic

Number

privilege_level

privilege_level

String

status

status

String

total_cpu_time

cpu_time

Number

All_Performance[CPU] → Performance

NXT Execution Error

Applying Nexthink Event to execution_error

Data Set
Constraints

Execution Error

source=Nexthink (event_type=execution_crash OR event_type=execution_freeze)

  • Execution Crash

event_type=execution_crash

  • Execution Freeze

event_type=execution_freeze

Nexthink Field
Add-on Field
Splunk Datatype
CIM Compliant (data set -> data model)

id

id

Number

info

info

String

type

type

String

NXT Execution Warning

Applying Nexthink Event to execution_warning

Data Set
Constraints

Execution Warning

source=Nexthink (event_type=high_application_cpu OR event_type=high_application_memory)

High Application CPU

event_type=high_application_cpu

High Application Memory

event_type=high_application_memory

Nexthink Field
Add-on Field
Splunk Datatype
CIM Compliant (data set -> data model)

duration

duration

Number

id

id

Number

info

info

String

type

type

String

value

value

Number

warning_duration

warning_duration

Number

NXT Installation

Applying Nexthink Event to installation

Data Set
Constraints

Installation

source=Nexthink (event_type=installation OR event_type=uninstallation)

Package Installation

event_type=installation

Package Uninstallation

event_type=uninstallation

Nexthink Field
Add-on Field
Splunk Datatype
CIM Compliant (data set -> data model)

id

id

Number

type

type

String

NXT Network Scan

Applying Nexthink Event to network_scan

Data Set
Constraints

Network Scan

source=Nexthink (event_type=network_scan)

Nexthink Field
Add-on Field
Splunk Datatype
CIM Compliant (data set -> data model)

cardinality

cardinality

Number

device_ip_address

device_ip_address

String

duration

duration

Number

id

id

Number

network

network

String

status

status

String

type

type

String

NXT Port Scan

Applying Nexthink Event to port_scan

Data Set
Constraints

Port Scan

source=Nexthink (event_type=port_scan)

Nexthink Field
Add-on Field
Splunk Datatype
CIM Compliant (data set -> data model)

cardinality

cardinality

Number

destination_ip_address

destination_ip_address

String

device_ip_address

device_ip_address

String

duration

duration

Number

first_scanned_port

first_scanned_port

String

id

id

Number

last_scanned_port

last_scanned_port

String

status

status

String

type

type

String

NXT Printout

Applying Nexthink Event to printout

Data Set
Constraints

Printout

source=Nexthink (event_type=printout)

Nexthink Field
Add-on Field
Splunk Datatype
CIM Compliant (data set -> data model)

color_print

color_print

Boolean

document_type

document_type

String

duplex

duplex

Boolean

id

id

Number

number_of_printed_pages

number_of_printed_pages

Number

page_size

page_size

String

print_quality

print_quality

String

size

size

Number

status

status

String

NXT User Activity

Applying Nexthink Event to user_activity

Data Set
Constraints

User Activity

source=Nexthink (event_type=user_logon)

User Logon

event_type=user_logon

Nexthink Field
Add-on Field
Splunk Datatype
CIM Compliant (data set -> data model)

duration

duration

Number

id

id

Number

real_duration

real_duration

Number

type

type

String

NXT Web Request

Applying Nexthink Event to web_request

Data Set
Constraints

Web Request

source=Nexthink (event_type=established_web_requests OR event_type=failed_web_requests)

Established Web Requests

event_type=established_web_requests

Failed Web Requests

event_type=failed_web_requests

Nexthink Field
Add-on Field
Splunk Datatype
CIM Compliant (data set -> data model)

cardinality

cardinality

Number

connections_duration

connections_duration

Number

http_status

status

Number

Web -> Web

id

id

Number

incoming_traffic

bytes_in

Number

Web -> Web

network_response_time

response_time

Number

Web -> Web

outgoing_traffic

bytes_out

Number

Web -> Web

protocol

protocol

String

protocol_version

protocol_version

String

service_related

service_related

Boolean

web_request_duration

duration

Number

Web -> Web

Use Cases

Traffic Aggregation dashboard in Splunk

What if you want to know, explicitly: How much daily incoming traffic belongs to Google Chrome on 24th January 2018 between 11:00 and 13:00?

It’s easy to retrieve that information in Nexthink_,_ either by creating a new investigation in Finder or by composing a NXQL query like the one in the code snippet below:

Code
(select (name)  
    (from application 
        (with connection 
            (where connection  
                (ne status (enum "no host")) 
                (ne status (enum "no service")) 
                (ne status (enum "rejected")) 
            ) 
            (where application 
                (eq name (pattern "Google Chrome")) 
            ) 
            (compute incoming_traffic) 
            (between 2018-01-24@11:00:00 2018-01-24@13:00:00) 
        ) 
    ) 
) 

The result of such query is 1480649564 bytes (approximately 1.38 GB), as in the illustration below.

How can you achieve that in Splunk? To do so, you run the following search, see the illustration below. Remember that the event configured in the connector to send the data to Splunk is the one in

Error! Reference source not found..

What are you doing exactly with this search? Let’s go through it line by line:

  • Line 1: filtering index=nexthink event_type=detailed_connections earliest=01/24/2018:11:00:0 latest=01/24/2018:13:00:0 app_name="Google Chrome" First line filters the information you want to retrieve. You need to state the index=nexthink where you are searching the information, the type of the event event_type=detailed_connections, the earliest and latest times for the events to be retrieved, and the name of the application you are taking into consideration app_name="Google Chrome".

  • Line 2: Range of incoming traffic per device and per connection | stats range(bytes_in) as range_bytes_in by src id In the second line you are computing some stats after grouping the events by device, mapped as src, and by connection, mapped as id. This grouping is done with the by clause. Once events are grouped, the specific statistics are applied. You are basically computing the range, which is the difference between maximum and minimum values of the incoming traffic, mapped as bytes_in, per connection and per device. The as clause simply renames the new field as range_bytes_in.

  • Line 3: Summation of incoming traffic for all devices and connections. | stats sum(range_bytes_in) as "Total Incoming Traffic (B)" The third line allow you to compute the summation of the aggregated traffic of each connection and each device. Since you are not specifying any by clause this time, you have to rename the field as "Total Incoming Traffic (B)".

  • Line 4: Creation of new field to be shown | eval "Total Incoming Traffic (GB)"=round('Total Incoming Traffic (B)'/(1024*1024*1024),2). " GB" Lastly, you perform an evaluation of the 'Total Incoming Traffic (B)' field, thus creating a new one based on it. You convert bytes to gigabytes and round the result to 2 decimal places. With the search, you get the results displayed as in the illustration below, Total Incoming Traffic (B): 1459712893 and Total Incoming Traffic (GB): 1.36

As you may have noticed, there are some minor differences between the value we get in Splunk and the one provided by Nexthink. This is completely normal as Splunk is storing the information for the desired events on a given frequency making it possible to compute more precise aggregates.

But what if you want to extract the traffic consumed per device? We can simply add the by src clause on the third line and compute the summation of all connections per each device.

| stats sum(range_bytes_in) as "Total Incoming Traffic (B)" by src

If you wanted to retrieve the incoming traffic every two hours for the last 24 hours, you could run another search as illustrated below.

  • Changed the time selector to Last 24 hours and as you are not including the temporal filters in this search.

  • The bin command allows you to put continuous time, internal Splunk field _time, into discrete buckets of a given period span, so that all the items in a particular bucket have the same value.

  • The eval command, along with the strftime function, modifies how the date is going to be displayed.

  • Then, you compute the statistics as in the previous example but including the new Date field in both stats commands.

  • Use the table command to display only the fields of interest.

  • By selecting the Line Chart visualization, you can obtain the result as illustrated below.

CSC 0 dashboard in Splunk

Splunk allows you to display the information in a fancy manner by modifying the visualization. For instance, if you wanted to find out: How to display today’s average value of the Compliance Scores and the weekly trend?

  • First, you need to send the information to Splunk. The event configuration is shown in the code snippet below.

Code
## This one is also used for the Scores dashboards (CSC0 and CSC3) 

[CSC1_INVENTORY] mode = listing query = (select (<device_fields>) 
            (from device 
                (where device 
                    (ne device_type (enum server)) 
                ) 
            )         
      ) 
mapping = {"device_fields": {"name": "src", 
 "id": "src_id",  
 "device_type": "device_type", 
 "os_version_and_architecture": "os_version",  
 "platform": "platform",  
 "#\"score:Device compliance/Device compliance\"": "score_dev_comp_device_compliance", 
 "#\"score:Device compliance/Network\"": "score_dev_comp_network", 
 "#\"score:Device compliance/Protection\"": "score_dev_comp_protection", 
 "#\"score:Device compliance/Software\"": "score_dev_comp_software",        
 "#\"score:Device compliance/System\"": "score_dev_comp_system"}} 
frequency = 1440 
delay = 5 
platforms = windows, mac_os 
  • Once done, you run a simple search in Splunk, see the illustration below.

  • As described in the previous example, the first line is the filters the events, so you get only the Splunk events of importance from last week, defined with the earliest and latest fields.

  • Then, you use the timechart command to aggregate events according to a given span span=24h

  • The fixedrange parameter let you skip periods with no data

  • Compute the desired stats using avg

  • Lastly, you apply the desired visualization. In the corresponding tab, select Single Value as the visualization type and in Format, select the parameters according to the table below:

Parameter
Value

General > Show Trend Indicator

Yes

General > Show Trend in

Percent

General > Compared to

24 hours before

General > Show Sparkline

Yes

Color > Use Color

Yes

Color > Color by

Value

Color > Ranges

Select the appropriate ones

Color > Color Mode

First radio button

The value will be displayed as in the illustration below.

The same approach can be followed to obtain the rest of the Scores in the dashboard.

CSC 1 dashboard in Splunk

To compute both numbers appearing in the dashboard, we simply need to follow the previous approach. Splunk searches differ only in the filtering part and in the statistics computed by the timechart command using count instead of avg, see the illustration below.

To show the inventory, run the search as in the illustration below.

With the eval command you are setting the value of the Properties and Scores columns to be "Click for details". You do that because in the dashboard itself, you can configure how the drilldown will work when clicking on each column. Therefore, in the editing mode of the dashboard you select Source, thus displaying the XML code. By playing a little bit with the different options, in particular those related to the drilldown, you can define different behaviors. For instance, the behavior of the Inventory of Desktops by OS panel as shown in the code snippet below.

Code
<panel> 
  <title>Inventory of Desktops by OS</title> 
  <table> 
    <search ref="Inventory of Desktops"></search> 
    <option name="count">10</option> 
    <option name="drilldown">cell</option> 
    <drilldown> 
      <condition field="Number of Desktops"> 
        <set token="selected_desktop_os">$click.value$</set> 
        <link target="_blank">search?q=index=nexthink 
              event_type=csc1_inventory
              device_type=desktop 
              earliest=-1d 
              latest=now 
              os_version=$selected_desktop_os|s$ |            
              table src src_id | sort src
        </link> 
      </condition> 
      <condition field="Properties"> 
        <set token="selected_desktop_os">$click.value$</set> 
        <link target="_blank">search?q=index=nexthink 
              event_type=csc1_inventory
              device_type=desktop 
              earliest=-1d 
              latest=now 
              os_version=$selected_desktop_os|s$ |
              fields - _* score_dev_comp* punct linecount index eventtype 
              source sourcetype
              splunk_server splunk_server_group engine 
              event_category event_mode event_type host  
              | table src src_id * | sort src
        </link> 
      </condition> 
      <condition field="Scores"> 
        <set token="selected_desktop_os">$click.value$</set> 
        <link target="_blank">search?q=index=nexthink event_type=csc1_inventory            device_type=desktop earliest=-1d latest=now os_version=$selected_desktop_os|s$ |            table src src_id score_dev_comp* | sort src</link> 
      </condition> 
    </drilldown> 
  </table> 
</panel> 
  • Specify that the drilldown is going to be based on the cell value with the drilldown option.

  • Define a token for each column <condition field="column name">, which is extracted from the value of the clicked cell using a reserved word $click.value$, as well as the specific search using the token that will be triggered.

  • This drilldown approach is followed, with certain variations, in most of the other dashboards.

As shown in the examples above, there are many different searches and approaches we can follow in Splunk to get the desired data. Please refer to Splunk documentation for learn more about specific commands and approaches.

Support

Open a web browser and go to

Go to

The Nexthink Splunk Add-on is provided “as is” to its customers, without any warranty of any kind. Limited support for the application is provided via the .

Nexthink support portal
https://splunkbase.splunk.com
https://splunkbase.splunk.com/apps/
Nexthink support portal
App search and reporting
Result of NXQL query for Google Chrome traffic
Splunk search to compute the Google Chrome traffic in the desired date
Result of Splunk search for Google Chrome traffic
Result of Splunk search for Google Chrome traffic per device
Splunk search to compute the Google Chrome traffic every two hours
Result of Splunk search for Google Chrome traffic every two hours
Splunk search to compute the average Compliance score and the trend for the week
Single value visualization with colors and trend
Search for Number of Desktops
Search for Inventory of Desktops