Splunk add-on installation and usage

Introduction

This document provides comprehensive information on the definition and installation of event types and data models into a Splunk instance. The Nexthink Splunk Add-on for the Nexthink Event Coordinator allows users to perfectly map and make the most out of the Nexthink data injected into a Splunk instance.

Overview

The Nexthink Splunk Add-on allows a Splunk Enterprise administrator to use the proper event types and data models to map the data provided by the Nexthink Event Connector.

Nexthink Splunk Add-on includes the following new features:

• 3 new eventtypes for those events in Nexthink that correspond to CIM models.

• 13 new data models matching the different types of events provided by Nexthink.

Requirements

Pre-requisites for the Nexthink Splunk add-on installation:

• Splunk Enterprise 6.5 or later

• CIM 4.8 or later installed on the Splunk instance, in order to be able to use the included in the add-on eventtypes.

Installation

Option 1: from store

• Click on App: Search & Reporting > Find More Apps in the main menu of the Splunk instance.\

  \

• Type “Nexthink Add-on for Splunk” in the top search box.

• Click Install for the installation.

Option 2: file install

You can download and install the add-on file to the Splunk instance by following these steps:

If it is necessary to get the add-on file to be uploaded to the Splunk instance:

• Open a web browser and go to https://splunkbase.splunk.com

• Log in to Splunk through My Account > LOGIN

• Go to https://splunkbase.splunk.com/apps/

• Search for Nexthink Splunk Add-on using the top search bar.

• Click on Download. This will download a file with the add-on packed in.

To upload the add-on file:

• Log in to the Splunk instance where you have to install the add-on.

• Go to Apps > Manage Apps. From the home page of the Splunk instance:\

  \

• Click on Install app from file.

• Choose the add-on file and click on Upload

Event types

Data models

NXT Connection

Applying Nexthink Event to connection

NXT Device Activity

Applying Nexthink Event to device_activity

NXT Device Error

Applying Nexthink Event to device_error

NXT Device Warning

Applying Nexthink Event to device_warning

NXT Execution

Applying Nexthink Event to execution

NXT Execution Error

Applying Nexthink Event to execution_error

NXT Execution Warning

Applying Nexthink Event to execution_warning

NXT Installation

Applying Nexthink Event to installation

NXT Network Scan

Applying Nexthink Event to network_scan

NXT Port Scan

Applying Nexthink Event to port_scan

NXT Printout

Applying Nexthink Event to printout

NXT User Activity

Applying Nexthink Event to user_activity

NXT Web Request

Applying Nexthink Event to web_request

Use Cases

Traffic Aggregation dashboard in Splunk

What if you want to know, explicitly: How much daily incoming traffic belongs to Google Chrome on 24th January 2018 between 11:00 and 13:00?

It’s easy to retrieve that information in Nexthink_,_ either by creating a new investigation in Finder or by composing a NXQL query like the one in the code snippet below:

(select (name)  
    (from application 
        (with connection 
            (where connection  
                (ne status (enum "no host")) 
                (ne status (enum "no service")) 
                (ne status (enum "rejected")) 
            ) 
            (where application 
                (eq name (pattern "Google Chrome")) 
            ) 
            (compute incoming_traffic) 
            (between 2018-01-24@11:00:00 2018-01-24@13:00:00) 
        ) 
    ) 
) 

The result of such query is 1480649564 bytes (approximately 1.38 GB), as in the illustration below.

How can you achieve that in Splunk? To do so, you run the following search, see the illustration below. Remember that the event configured in the connector to send the data to Splunk is the one in

Error! Reference source not found..

What are you doing exactly with this search? Let’s go through it line by line:

• Line 1: filtering index=nexthink event_type=detailed_connections earliest=01/24/2018:11:00:0 latest=01/24/2018:13:00:0 app_name="Google Chrome" First line filters the information you want to retrieve. You need to state the index=nexthink where you are searching the information, the type of the event event_type=detailed_connections, the earliest and latest times for the events to be retrieved, and the name of the application you are taking into consideration app_name="Google Chrome".

• Line 2: Range of incoming traffic per device and per connection | stats range(bytes_in) as range_bytes_in by src id In the second line you are computing some stats after grouping the events by device, mapped as src, and by connection, mapped as id. This grouping is done with the by clause. Once events are grouped, the specific statistics are applied. You are basically computing the range, which is the difference between maximum and minimum values of the incoming traffic, mapped as bytes_in, per connection and per device. The as clause simply renames the new field as range_bytes_in.

• Line 3: Summation of incoming traffic for all devices and connections. | stats sum(range_bytes_in) as "Total Incoming Traffic (B)" The third line allow you to compute the summation of the aggregated traffic of each connection and each device. Since you are not specifying any by clause this time, you have to rename the field as "Total Incoming Traffic (B)".

• Line 4: Creation of new field to be shown | eval "Total Incoming Traffic (GB)"=round('Total Incoming Traffic (B)'/(1024*1024*1024),2). " GB" Lastly, you perform an evaluation of the 'Total Incoming Traffic (B)' field, thus creating a new one based on it. You convert bytes to gigabytes and round the result to 2 decimal places. With the search, you get the results displayed as in the illustration below, Total Incoming Traffic (B): 1459712893 and Total Incoming Traffic (GB): 1.36

As you may have noticed, there are some minor differences between the value we get in Splunk and the one provided by Nexthink. This is completely normal as Splunk is storing the information for the desired events on a given frequency making it possible to compute more precise aggregates.

But what if you want to extract the traffic consumed per device? We can simply add the by src clause on the third line and compute the summation of all connections per each device.

| stats sum(range_bytes_in) as "Total Incoming Traffic (B)" by src

If you wanted to retrieve the incoming traffic every two hours for the last 24 hours, you could run another search as illustrated below.

• Changed the time selector to Last 24 hours and as you are not including the temporal filters in this search.

• The bin command allows you to put continuous time, internal Splunk field _time, into discrete buckets of a given period span, so that all the items in a particular bucket have the same value.

• The eval command, along with the strftime function, modifies how the date is going to be displayed.

• Then, you compute the statistics as in the previous example but including the new Date field in both stats commands.

• Use the table command to display only the fields of interest.

• By selecting the Line Chart visualization, you can obtain the result as illustrated below.

CSC 0 dashboard in Splunk

Splunk allows you to display the information in a fancy manner by modifying the visualization. For instance, if you wanted to find out: How to display today’s average value of the Compliance Scores and the weekly trend?

• First, you need to send the information to Splunk. The event configuration is shown in the code snippet below.

## This one is also used for the Scores dashboards (CSC0 and CSC3) 

[CSC1_INVENTORY] mode = listing query = (select (<device_fields>) 
            (from device 
                (where device 
                    (ne device_type (enum server)) 
                ) 
            )         
      ) 
mapping = {"device_fields": {"name": "src", 
 "id": "src_id",  
 "device_type": "device_type", 
 "os_version_and_architecture": "os_version",  
 "platform": "platform",  
 "#\"score:Device compliance/Device compliance\"": "score_dev_comp_device_compliance", 
 "#\"score:Device compliance/Network\"": "score_dev_comp_network", 
 "#\"score:Device compliance/Protection\"": "score_dev_comp_protection", 
 "#\"score:Device compliance/Software\"": "score_dev_comp_software",        
 "#\"score:Device compliance/System\"": "score_dev_comp_system"}} 
frequency = 1440 
delay = 5 
platforms = windows, mac_os 

• Once done, you run a simple search in Splunk, see the illustration below.

• As described in the previous example, the first line is the filters the events, so you get only the Splunk events of importance from last week, defined with the earliest and latest fields.

• Then, you use the timechart command to aggregate events according to a given span span=24h

• The fixedrange parameter let you skip periods with no data

• Compute the desired stats using avg

• Lastly, you apply the desired visualization. In the corresponding tab, select Single Value as the visualization type and in Format, select the parameters according to the table below:

The value will be displayed as in the illustration below.

The same approach can be followed to obtain the rest of the Scores in the dashboard.

CSC 1 dashboard in Splunk

To compute both numbers appearing in the dashboard, we simply need to follow the previous approach. Splunk searches differ only in the filtering part and in the statistics computed by the timechart command using count instead of avg, see the illustration below.

To show the inventory, run the search as in the illustration below.

With the eval command you are setting the value of the Properties and Scores columns to be "Click for details". You do that because in the dashboard itself, you can configure how the drilldown will work when clicking on each column. Therefore, in the editing mode of the dashboard you select Source, thus displaying the XML code. By playing a little bit with the different options, in particular those related to the drilldown, you can define different behaviors. For instance, the behavior of the Inventory of Desktops by OS panel as shown in the code snippet below.

<panel> 
  <title>Inventory of Desktops by OS</title> 
  <table> 
    <search ref="Inventory of Desktops"></search> 
    <option name="count">10</option> 
    <option name="drilldown">cell</option> 
    <drilldown> 
      <condition field="Number of Desktops"> 
        <set token="selected_desktop_os">$click.value$</set> 
        <link target="_blank">search?q=index=nexthink 
              event_type=csc1_inventory
              device_type=desktop 
              earliest=-1d 
              latest=now 
              os_version=$selected_desktop_os|s$ |            
              table src src_id | sort src
        </link> 
      </condition> 
      <condition field="Properties"> 
        <set token="selected_desktop_os">$click.value$</set> 
        <link target="_blank">search?q=index=nexthink 
              event_type=csc1_inventory
              device_type=desktop 
              earliest=-1d 
              latest=now 
              os_version=$selected_desktop_os|s$ |
              fields - _* score_dev_comp* punct linecount index eventtype 
              source sourcetype
              splunk_server splunk_server_group engine 
              event_category event_mode event_type host  
              | table src src_id * | sort src
        </link> 
      </condition> 
      <condition field="Scores"> 
        <set token="selected_desktop_os">$click.value$</set> 
        <link target="_blank">search?q=index=nexthink event_type=csc1_inventory            device_type=desktop earliest=-1d latest=now os_version=$selected_desktop_os|s$ |            table src src_id score_dev_comp* | sort src</link> 
      </condition> 
    </drilldown> 
  </table> 
</panel> 

• Specify that the drilldown is going to be based on the cell value with the drilldown option.

• Define a token for each column <condition field="column name">, which is extracted from the value of the clicked cell using a reserved word $click.value$, as well as the specific search using the token that will be triggered.

• This drilldown approach is followed, with certain variations, in most of the other dashboards.

As shown in the examples above, there are many different searches and approaches we can follow in Splunk to get the desired data. Please refer to Splunk documentation for learn more about specific commands and approaches.

Support

The Nexthink Splunk Add-on is provided “as is” to its customers, without any warranty of any kind. Limited support for the application is provided via the Nexthink support portal.