All Apps and Add-ons

Noob guide to configure

jbueso
Path Finder

Could you give us a little guide to configure at first

How we must send logs from VSP to splunk?

We need a new query "Device" or it is already implemented in dashboard?

Thanks in advance

jbueso
Path Finder

Just to say, after i upgrade mobileiron's last release, everything works correctly. Now I can obtain data from mydevices and rest of indexes.

All of them are populating itself and rest of app looks run great.

0 Karma

lini8oz
New Member

Sorry to hijack this, can I ask, if I going to do my own query against Splunk, should I use SQL or Regex?

cheers,

Ant

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi jbueso,

here is the Noob guide I used this week to configure Splunk and MobileIron:

Monitoring the MobileIron VSP With Splunk Forwarder
VSP 6.0's new Splunk Forwarder feature periodically exports system health, device statistics, compliance, check-ins, and much more to a Splunk Enterprise server. VSP system health is reported at the hardware, OS (CentOS) and application layers. Multiple VSP's can be monitored concurrently.

Only on-premise VSP's are supported at this time. Connected Cloud VSP's will be supported in the future.

Setting Up Splunk Forwarder
These steps show how to setup Splunk Forwarder in a demo or evaluation environment. Licensing concerns are beyond the scope of this article. A static IP address for your Splunk Enterprise server is recommended, but a DHCP address will suffice for a quick test.

  1. Download and install the Splunk Enterprise demo on your computer. Versions are available for Mac, Windows, Linux, Solaris, etc.
  2. On the VSP, navigate to System > Settings > Services > Splunk Forwarder, and choose Enable, then Apply.
  3. Navigate to System > Settings > Splunk Forwarder, and click Add. Add the IP address of your Splunk Enterprise server. Any IP address can be used. In this example we'll use 2221, without SSL. Enabling SSL is beyond the scope of this article.
  4. Restart the Splunk Forwarder: Navigate to System > Settings > Services > Splunk Forwarder, click Disable and Apply, then Enable and Apply.
  5. Start Splunk Enterprise on your computer. (On Mac OS X, launch the Splunk application.)
  6. Load http://localhost:8000 in your browser.
  7. In the Splunk Enterprise portal, navigate to Settings > Data > Forwarding and receiving > Configure receiving > New. Enable a listener on port 2221.
  8. Navigate to Settings > Data > Indexes, and enable “mihealth”, “mijvm”, and “midevices”.
  9. Navigate to Apps > Find More Apps and search for MobileIron.
  10. Download the MobileIron App For Splunk Enterprise. Since this file is hosted on support.mobileiron.com, your company's download/documentation credentials are required.
  11. Do not unzip or unpack the .tar.gz file.
  12. Navigate to Apps > Manage Apps > Install App From File, and choose the .tar.gz file you downloaded.

The Splunk Enterprise portal will now display the new MobileIron app. Drill-down into the menus and start splunking!

The "MobileIron App For Splunk Enterprise" plugin app is provided "as-is". Technical support for this app is available via SplunkAnswers.

NOTE: Splunk will reveal many inner secrets of your VSP which were previously off-limits. One may become concerned by ominous-sounding log messages, CPU or memory spikes, or unexplained network usage. Do not use Splunk to find new problems, but rather to troubleshoot existing problems. MobileIron Support will not entertain questions about what the VSP is doing "under the covers" or why, unless there is a observed issue or failure.

Troubleshooting
Q: I see VSP health data, but no device data. What's wrong?
A: The VSP exports device info every 24 hours. Check back after 24 hours.

Important: after initial setup of the Splunk forwarder on the MobileIron, the MobileIron Service MUST be restarted! Also check your routing on the MobileIron

hope this helps ...

cheers, MuS

schandrasekar
Loves-to-Learn

Hi , 

I am looking to integrate Splunk and MobileIron Core. At MobileIron Core end , it is prompting to enter Inder details.

Our current architecture is UF->HF->IDX->SH, I am looking for ways to configure either to HFs or IDX cluster ? Is there any docs or leads please? 

Also, where to download the app "MobileIron App for Splunk Enterprise"?

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!