Scrutinizer for Splunk application¶
What does the Scrutinizer for Splunk application do?
Splunk searches from Scrutinizer reports and alarms¶
The following are the steps necessary to search Splunk’s database from Scrutinizer reports.
- Select a Scrutinizer report that includes IP addresses
- Select a host of interest and click on it
- Select Other Options from the Reports menu
- Select Search Splunk
- The IP address and report timeframe are passed to Splunk’s search engine for detailed Splunk reporting.
For further details (from Splunk) on Scrutinizer Alarms, follow these steps.
Go to the Alarms tab in Scrutinizer and select either:
- Bulletin Board by Violator,
- Bulletin Board by Policy.
In the Bulletin Board Events view that opens, click on the dropdown arrow to the left of the Message column for the alarm selected.
Select Search Splunk from the Available Options menu and the Violator’s IP address and timeframe of the violation are passed to Splunk. If the Violator’s IP address and an alarm time (not timeframe) are
being passed, then 30 minutes before and after the alarm time is searched.
Scrutinizer reporting from within Splunk¶
With the Scrutinizer for Splunk application, dashboards can be setup which include:
- Scrutinizer Vitals information
- Flow Analytics TopN Algorithms
The Default Dashboard view for the Scrutinizer - Splunk Application is the Vitals information which includes:
- Disk Usage
- Flows per collector
- Status per collector
Other Splunk menus can include links to the Scrutinizer tabs:
- Status and Reports
- Admin and Settings
Additionally, panels can be created which are based on the TopN Algorithm gadgets from Flow Analytics:
- Top Applications
- Top Countries
- Top Rev 2nd lvl Domains (Top reverse 2nd level domains)
- Top Flows
- Top Hosts
- Top Jitter
- Top Networks
- and more…
Clicking on any entities in the graphs or detail in a table report will run a Splunk search for that detail and time range. As mentioned earlier, those searches can also be initiated directly from Scrutinizer reports or alarms.
A menu can be added which consists of useful links on our website:
How to configure Splunk integration with Scrutinizer¶
There are two components to the Splunk integration.
- Preparing Scrutinizer
- Installing the Scrutinizer for Splunk application on Splunk
Flow Analytics must be enabled and collecting statistics for the Top X Algorithms.
The following configuration instructions apply to Scrutinizer v16.7 and later. If an earlier version of Scrutinizer is installed, contact Plixer directly for assistance.
- Log on to the Scrutinizer server with administrative permissions
- To enable the Scrutinizer/Splunk integration, from the command line:
/home/plixer/scrutinizer/bin/scrut_util.exe **SCRUTINIZER>** enable splunk http\://<ip:port> <syslog port>
where<ip:port> is Splunk IP address and port, <syslog port> is the port used to send syslogs to Splunk.
After a few moments, Scrutinizer will begin to export data to Splunk.
Installing the Scrutinizer for Splunk application on Splunk¶
The Scrutinizer for Splunk App displays details that have been collected and processed by Scrutinizer. For more information, visit Plixer’s Splunk integration page.
- Download the Splunk plugin using the link at the bottom of the Splunk Integration page.
- Log into Splunk
- Select Apps > Manage Apps
- Click Install app from file
- Click Choose File and locate the PlixerScrutinizerForSplunk.spl file within the Splunk plugin file downloaded in Step 1. If upgrading the plugin, click the Upgrade App checkbox below the Choose File button.
- Click the Upload button.
- Follow the onscreen instructions and restart Splunk.
- Navigate to the “Apps > Manage Apps menu.
- Locate the Scrutinizer for Splunk app in the list below and click the View Objects link associated to the application.
- Locate the Default link and click it.
- Replace the text “http://ADD_SCRUTINIZER_ADDR_HERE” with the link to the desired Scrutinizer server. (e.g. https://10.1.1.12:88)
- Click the Save button and then access the Scrutinizer application in the Apps menu.
After a few minutes you will start seeing data in Splunk.