Good day. I am attempting to automate alerting for upcoming expiring RSA tokens; however, RSA does not provide this information to Splunk at the logging level; at least not that I could find. RSA does allow me to create a report in CSV or XML format and e-mail that out. My thought is to automate the RSA report to be emailed to Splunk as a lookup table and then I could create the alerts based on the data of the RSA lookup table.
I've searched within Splunk as well as the interwebs and I've not been able to find a way to upload lookup tables to Splunk via e-mail, so I wanted to ask the community if this is even possible. If so, if you could point me in the right direction it'd be appreciated. Thank you.
The lookup editor app does have mentioned of a REST API but I have been unable to determine at first glance if you can upload data via the REST API (I think you can...)
If you switched to a KVStore then you can definitely work via REST API.
Finally, there are REST endpoints to work with lookups, however are you trying to create the lookup definition or upload the contents via API or ?
Without being able to articulate what I want in the proper terms, I am trying to automate delivering the RSA expiration data to Splunk so that I can setup an alert to provide notification before a token expires. Unfortunately RSA doesn't provide this information in logs to Splunk, so I'm trying to automate a CSV or XML report to be generate and e-mailed to Splunk. My theory was to then use the attachment as a lookup table that I could use to read the expiration dates for alerting.
I've never working with APIs, so the skills needed to get this done, is sounding like it's over my head,, haha.
The simpler approach is to find a way to get the data indexed into Splunk and then run a search over where the data was indexed and use an "outputlookup" in the search...
For example if you can get the CSV attachment onto the filesystem and assuming Splunk is monitoring the directory then Splunk can read the file and you can run a scheduled search to output the lookup...
To index data from the file which will come as an attachment in an email is a little bit hard to think and imagine but I think it is possible.
In this case, we have to set up data collection node(DCN), which is responsible for reading all incoming emails. download the attachment and convert into events. which will be forwarded to the indexer.
Yes, It is not easy, there are challenges. like, to create a utility which is ready emails and extracts desired data from it.
There's the IMAP app which may help you to think how to make it possible.
I hope this will help you.
Thank you to everyone's input on this!! I am average at best with Splunk and I haven't worked with APIs before and it's sounding like I need to be at the expert level to play this particular Spunk challenge 🙂
I also looked into the IMAP Mail app, but by default it doesn't download attachments and to modify it is going to take someone that can script better than me.
I'll do a deeper dive into these suggestions after the Thanksgiving holiday. Thanks again for taking the time to provide input!!
Basically, you can just set up a service that saves any CSV attachments from an incoming email to a directory that is monitored by Splunk. You can literally copy one there manually in order to verify that the Splunk side is working. How you do the other end depends on your mail client and your security setup.
Other options are check if the system has an API, make a script like python to pull your report and send it in to Splunk either via HEC for indexing or via rest API to KVStore as a lookup as mentioned above in one of the comments. Or also as mentioned above put a forwarder on a system that can download and save the attachments off to a monitored folder for indexing as suggested above.