Forum Discussion
Danielle_Alpero
Nimbostratus
NimbostratusAPM integration with splunk
Hey, i configured the free version of splunk and managed to get the \var\log\apm files, i can see the logs but the built-in dashboard for apm isnt showing data (except one chart) i think its because we run version 13 and this template of splunk was built for 11.6 is anyone tried to modify this template ? or found other creative solution ? i have to make this thing work!
Yann_DesmarestCirrus
Hi,
You can have a look at the iApp Analytics written by Ken Bocchino.
On my side, I write a custom log in the format key/value to be natively parsed by Splunk.
You can write an icall that periodically dump (
) all session variables from active sessions and send it to the HTTP API of Splunk.sessiondump --allkeysThen, you have all at your disposal to build some custom dashboard based on easy to write splunk queries.
Hope it helps
Yann
CX_280703We have set up our APM using HSL to send our logs to our syslog server on policy completion. This works well and allows us to choose the info we send.
when ACCESS_POLICY_COMPLETED { if { ![catch {set hsl [HSL::open -proto TCP -pool $static::syslogPool]} ] } { HSL::send $hsl "<190> id=$static::siemId action=auth auth-result=\ACCESS::policy result] dst-ip=[IP::local_addr] src-ip=[IP::remote_addr]user=[ACCESS::session data get session.sso.token.last.username]@[ACCESS::session data get session.sso.token.last.domain] vip=[virtual name] use-case=[ACCESS::session data get session.sso.token.last.useCase] ad-errmsg=[ACCESS::session data get session.ad.last.errmsg] ad-empid=[ACCESS::session data get session.ad.last.attr.employeeID] device=$static::location module=APM user-agent=[ACCESS::session data get session.user.agent] auth-method=[ACCESS::session data get session.sso.token.last.method] sessionID=[ACCESS::session data get session.user.sessionid] \n" } }
Yann_Desmarest_Nacreous
Hi,
You can have a look at the iApp Analytics written by Ken Bocchino.
On my side, I write a custom log in the format key/value to be natively parsed by Splunk.
You can write an icall that periodically dump (
) all session variables from active sessions and send it to the HTTP API of Splunk.sessiondump --allkeysThen, you have all at your disposal to build some custom dashboard based on easy to write splunk queries.
Hope it helps
Yann
- CX_280703
We have set up our APM using HSL to send our logs to our syslog server on policy completion. This works well and allows us to choose the info we send.
when ACCESS_POLICY_COMPLETED { if { ![catch {set hsl [HSL::open -proto TCP -pool $static::syslogPool]} ] } { HSL::send $hsl "<190> id=$static::siemId action=auth auth-result=\ACCESS::policy result] dst-ip=[IP::local_addr] src-ip=[IP::remote_addr]user=[ACCESS::session data get session.sso.token.last.username]@[ACCESS::session data get session.sso.token.last.domain] vip=[virtual name] use-case=[ACCESS::session data get session.sso.token.last.useCase] ad-errmsg=[ACCESS::session data get session.ad.last.errmsg] ad-empid=[ACCESS::session data get session.ad.last.attr.employeeID] device=$static::location module=APM user-agent=[ACCESS::session data get session.user.agent] auth-method=[ACCESS::session data get session.sso.token.last.method] sessionID=[ACCESS::session data get session.user.sessionid] \n" } }
sweetaDumpsPool was essential for my SPLK-4001 success. The extensive practice questions and in-depth explanations helped me understand complex topics. The updates kept me informed, and I passed my exam on the first try. Highly recommended!
https://www.dumpspool.com/splunk/splk-4001-dumps.html