Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Enterprise Security: How to automate the population of assets.csv with DB Connect?

oagtexas
Explorer
‎03-31-2016 08:56 AM

We are running Enterprise Security and I'm trying to schedule and automate the population of assets.csv that ES uses as an Identity Management lookup file. I figured I could use DB Connect to connect to our SQL-based CMDB and pull the required information. This connection works fine and I'm able to access a stored report in the CMDB to use to create the exact format of the assets.csv file.

I see 3 options to save anything in DB Connect:

DB Inputs
DB Outputs
DB Lookups

I don't see any of these options doing what I want to do above which is just call the query and output it as a lookup csv file. I'm thinking there's a sloppy workaround to be found here but I was wondering how others are automating their asset inventory in ES?

0 Karma
Reply

maciep
Champion
‎03-31-2016 02:53 PM

We connect to our CMDB to get our assets and identities as well. We have a scheduled search that run the dbquery, massage the data as needed, format the data as needed and then at the very end of the search we pipe to the outputlookup command to create the csv itself.

For the lookups themselves, we have them configured in a custom SA of ours. And then we configure ES to include those lookups for its asset/identities lists.

Also, our ES env is clustered and we haven't got around to feeling comfortable with dbconnect in that ES cluster. So we actually run the above search on our heavy forwarder and rsync the custom app with our lookups over to the ES boxes a couple times a day.

Not sure if that's the best approach, but that's how we're doing it. Oh and we're still on ES 3.3.2

0 Karma
Reply

rishrai
New Member
‎07-20-2016 02:00 PM

I am looking to continuously update the asset list from CMDB. DB connect is installed in the heavy forwarder. i got the part of running dbquery in dbconnect to generate the lookup file. now how do i get the lookup file to the ES search head and place it in the SAidentity management? I am not familiar with rsync. Can you please explain more?

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...