Reporting

Is it Possible to Upload Lookup Table to Splunk via email

jonathangrant74
Explorer

Good day. I am attempting to automate alerting for upcoming expiring RSA tokens; however, RSA does not provide this information to Splunk at the logging level; at least not that I could find. RSA does allow me to create a report in CSV or XML format and e-mail that out. My thought is to automate the RSA report to be emailed to Splunk as a lookup table and then I could create the alerts based on the data of the RSA lookup table.

I've searched within Splunk as well as the interwebs and I've not been able to find a way to upload lookup tables to Splunk via e-mail, so I wanted to ask the community if this is even possible. If so, if you could point me in the right direction it'd be appreciated. Thank you.

0 Karma

gjanders
SplunkTrust
SplunkTrust

The lookup editor app does have mentioned of a REST API but I have been unable to determine at first glance if you can upload data via the REST API (I think you can...)

If you switched to a KVStore then you can definitely work via REST API.

Finally, there are REST endpoints to work with lookups, however are you trying to create the lookup definition or upload the contents via API or ?

0 Karma

jonathangrant74
Explorer

Without being able to articulate what I want in the proper terms, I am trying to automate delivering the RSA expiration data to Splunk so that I can setup an alert to provide notification before a token expires. Unfortunately RSA doesn't provide this information in logs to Splunk, so I'm trying to automate a CSV or XML report to be generate and e-mailed to Splunk. My theory was to then use the attachment as a lookup table that I could use to read the expiration dates for alerting.

I've never working with APIs, so the skills needed to get this done, is sounding like it's over my head,, haha.

0 Karma

gjanders
SplunkTrust
SplunkTrust

The simpler approach is to find a way to get the data indexed into Splunk and then run a search over where the data was indexed and use an "outputlookup" in the search...

For example if you can get the CSV attachment onto the filesystem and assuming Splunk is monitoring the directory then Splunk can read the file and you can run a scheduled search to output the lookup...

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

Hi @jonathangrant74,

To index data from the file which will come as an attachment in an email is a little bit hard to think and imagine but I think it is possible.

In this case, we have to set up data collection node(DCN), which is responsible for reading all incoming emails. download the attachment and convert into events. which will be forwarded to the indexer.

Yes, It is not easy, there are challenges. like, to create a utility which is ready emails and extracts desired data from it.

There's the IMAP app which may help you to think how to make it possible.

https://apps.splunk.com/app/1739/

I hope this will help you.

Happy Splunking

0 Karma

jonathangrant74
Explorer

Thank you to everyone's input on this!! I am average at best with Splunk and I haven't worked with APIs before and it's sounding like I need to be at the expert level to play this particular Spunk challenge 🙂

I also looked into the IMAP Mail app, but by default it doesn't download attachments and to modify it is going to take someone that can script better than me.

I'll do a deeper dive into these suggestions after the Thanksgiving holiday. Thanks again for taking the time to provide input!!

0 Karma

DalJeanis
Legend

Basically, you can just set up a service that saves any CSV attachments from an incoming email to a directory that is monitored by Splunk. You can literally copy one there manually in order to verify that the Splunk side is working. How you do the other end depends on your mail client and your security setup.

0 Karma

starcher
Influencer

Other options are check if the system has an API, make a script like python to pull your report and send it in to Splunk either via HEC for indexing or via rest API to KVStore as a lookup as mentioned above in one of the comments. Or also as mentioned above put a forwarder on a system that can download and save the attachments off to a monitored folder for indexing as suggested above.

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...