jspiglerj2rsolves's avatar
jspiglerj2rsolves
Icon for Nimbostratus rankNimbostratus
Mar 15, 2017

Great app! Alot of potential for being the best ADC visibility app out there on splunk.

 

One thing I'm having issues with and I think its how the search was constructed is the Application Drill down dashboard, SSL Certificates panel. I can only return the latest certificate object, ssl profile that has been reported to splunk. The search is as follows

 

| tstats latest(all.cert_name), latest(all.cert_expiration_date), latest(all.cert_expiration_date_human),latest(all.CN) from datamodel=bigip-objectmodel-cert by host,all.devicegroup,all.facility | rename latest(all.) AS * all. AS * | join host cert_name [| tstats latest(all.cert_name) from datamodel=bigip-objectmodel-profile where all.profile_type="client-ssl" by host, all.devicegroup, all.facility, all.profile_name | rename latest(all.) AS * all. AS ] | join host profile_name [| tstats values(all.app), latest(all.tenant) from datamodel=bigip-objectmodel-virtual-profiles by host, all.devicegroup, all.facility, all.profile_name | rename latest(all.) AS * values(all.) as * all. AS ] | makemv delim=" " app | mvexpand app

 

| search tenant=tenant_a app=mail.clearshark.net | rename cert_expiration_date_human AS expires | eval days_remaining=round((cert_expiration_date-now())/(360024),0) | sort days_remaining | table facility,devicegroup,cert_name,CN,expires,days_remaining

 

All of my cert objects, ssl profile objects and virtual profile objects are being reported correctly into splunk. It seems this search though only returns the latest (hence the latest command) ssl cert object and joins all post objects in the search. It then searches for the requested app. Unfortunately, if the app isn't associated with this ssl profile, you do not get any results. I think instead of latest, values should be used with the mvexpand command. I've replaced the search with this

 

| tstats values(all.cert_name), values(all.cert_expiration_date), values(all.cert_expiration_date_human),values(all.CN) from datamodel=bigip-objectmodel-cert by host,all.devicegroup,all.facility | rename values(all.) AS * all. AS * | mvexpand cert_name | join host cert_name [| tstats values(all.cert_name) from datamodel=bigip-objectmodel-profile where all.profile_type="client-ssl" by host, all.devicegroup, all.facility, all.profile_name | rename values(all.) AS * all. AS ] | mvexpand profile_name | join host profile_name [| tstats values(all.app), values(all.tenant) from datamodel=bigip-objectmodel-virtual-profiles by host, all.devicegroup, all.facility, all.profile_name | rename values(all.) AS * values(all.) as * all. AS ] | makemv delim=" " app | mvexpand app

 

| search tenant=tenant_a app=mail.clearshark.net | rename cert_expiration_date_human AS expires | eval days_remaining=round((cert_expiration_date-now())/(360024),0) | sort days_remaining | table facility,devicegroup,cert_name,profile_name

 

The only thing I'm working on now is how to properly bring in the cn and expiration date. Anytime I expand those out, I get 100s of results. Any suggestions would be great!