Skip to main content

vast limits GmbH and uberAgent are now part of Citrix, a business unit of Cloud Software Group. Learn more at Citrix.com.

Splunk

Using uberAgent With Splunk Free Successfully

  • by Dominik Britz
  • July 17, 2018

Splunk Enterprise and uberAgent is a winning combination to get visibility in end-user experience. However, for your lab or demo environment, Splunk Enterprise might be a little bit oversized. Gladly, we have Splunk Free as an alternative which gives you 500 MB indexing volume per day at no charge. Sadly, there is one feature that Splunk Free lacks: saved searches. Find out how to dodge the limitation in this article.

The problem

uberAgent relies on Splunk lookup tables, to enrich parts of its data. In Splunk Enterprise, these lookup tables are generated by saved searches, stored in uberAgent’s savedsearches.conf. Unfortunately, Splunk Free does not support saved searches. We already have a KB article online that explains how to run the searches manually to prevent empty or faulty dashboards.

uberAgent’s “Application Startup” dashboard without saved searches on Splunk Free

The solution

Doing things manually is always a bad idea. It is time-consuming and error-prone. Hence I automated it with a scheduled task, PowerShell, and Splunk’s REST API. The script gets executed by a scheduled task on a specified interval and then runs the needed searches via Splunk’s REST APIs against your Splunk Free server.

The PowerShell script accepts two parameters.

  1. Server to configure the Splunk server. The default is localhost.
  2. Earliest to configure the time range. The default is last seven days.
<# 
.SYNOPSIS 
Run searches against Splunk Free REST API to create lookup tables required by uberAgent 
.PARAMETER Server
Splunk server. Default is localhost. 
.PARAMETER Earliest
Time range. Default is last seven days.
.EXAMPLE .\Invoke-uberAgentSearches.ps1
Invokes uberAgent searches against the server localhost for the time range of seven days.
.EXAMPLE .\Invoke-uberAgentSearches.ps1 -Server 'MySplunkServer' -Earliest '-1d'
Invokes uberAgent searches against the server MySplunkServer for the time range of one day.
.NOTES
Script: Invoke-uberAgentSearches.ps1
Author: Dominik Britz, vast limits GmbH 
uberagent.com
#>

#region parameters

Param
(
    # Splunk server. Default is localhost.
    [Parameter(Mandatory=$false)]
    [ValidateNotNullOrEmpty()]
    [string]$Server = 'localhost',

    # Time range. Default is last seven days.
    [Parameter(Mandatory=$false)]
    [ValidateNotNullOrEmpty()]
    [string]$Earliest = '-7d'
)

#endregion

#region variables

[string]$Uri = "http://${Server}:8089/services/search/jobs/export"

#endregion

#region main

[array]$Searches = @(
    'search index=`uberAgent_index` sourcetype=uberAgent:Application:AppNameIdMapping AppId=* AppName=* | stats latest(_time) as _time mode(AppName) as AppName by AppId | inputlookup append=t lookup_appnameidmapping | stats latest(_time) as _time latest(AppName) as AppName by AppId | eval TimeDelta=now()-_time | search TimeDelta<31536000 | fields AppName AppId _time | outputlookup lookup_appnameidmapping'
    'search index=`uberAgent_index` (sourcetype=uberAgent:System:MachineInventory OR sourcetype=uberAgent:System:NetworkConfigInformation) OsVersion=* | stats latest(_time) as _time latest(OsVersion) as OsVersion latest(OsBuild) as OsBuild latest(OsType) as OsType latest(AdDomainDns) as AdDomainDns latest(AdSite) as AdSite latest(AdOu) as AdOu latest(CtxFarmName) as CtxFarmName latest(CtxMachineCatalogName) as CtxMachineCatalogName latest(CtxDeliveryGroupName) as CtxDeliveryGroupName latest(HwManufacturer) as HwManufacturer latest(HwModel) as HwModel values(NetworkConfigIPv4) as NetworkConfigIPv4 by host | inputlookup append=t lookup_hostinfo | fields - Ipv4Address | stats latest(_time) as _time latest(OsVersion) as OsVersion latest(OsBuild) as OsBuild latest(OsType) as OsType latest(AdDomainDns) as AdDomainDns latest(AdSite) as AdSite latest(AdOu) as AdOu latest(CtxFarmName) as CtxFarmName latest(CtxMachineCatalogName) as CtxMachineCatalogName latest(CtxDeliveryGroupName) as CtxDeliveryGroupName latest(HwManufacturer) as HwManufacturer latest(HwModel) as HwModel values(NetworkConfigIPv4) as Ipv4Address by host | eval TimeDelta=now()-_time | search TimeDelta<31536000 | fields host OsVersion OsBuild OsType AdDomainDns AdSite AdOu CtxFarmName CtxMachineCatalogName CtxDeliveryGroupName HwManufacturer HwModel Ipv4Address _time | outputlookup lookup_hostinfo'
    'search index=`uberAgent_index` sourcetype=uberAgent:System:MachineInventory RAMSizeGB=* | stats latest(_time) as _time latest(RAMSizeGB) as RAMSizeGB latest(IsBatteryPresent) as IsBatteryPresent latest(CPUName) as CPUName latest(CPUSockets) as CPUSockets latest(CPUCoresPhysical) as CPUCoresPhysical latest(CPUCoresLogical) as CPUCoresLogical latest(CPUMaxMhz) as CPUMaxMhz latest(HwIsVirtualMachine) as HwIsVirtualMachine latest(OsUpdateBuildRevision) as OsUpdateBuildRevision by host | inputlookup append=t lookup_hostinfo2 | stats latest(_time) as _time latest(RAMSizeGB) as RAMSizeGB latest(IsBatteryPresent) as IsBatteryPresent latest(CPUName) as CPUName latest(CPUSockets) as CPUSockets latest(CPUCoresPhysical) as CPUCoresPhysical latest(CPUCoresLogical) as CPUCoresLogical latest(CPUMaxMhz) as CPUMaxMhz latest(HwIsVirtualMachine) as HwIsVirtualMachine latest(OsUpdateBuildRevision) as OsUpdateBuildRevision by host | eval TimeDelta=now()-_time | search TimeDelta<31536000 | fields host RAMSizeGB IsBatteryPresent CPUName CPUSockets CPUCoresPhysical CPUCoresLogical CPUMaxMhz HwIsVirtualMachine OsUpdateBuildRevision _time | outputlookup lookup_hostinfo2'
    '| pivot uberAgent Process_ProcessStartup latest(_time) as LastSeen splitrow ProcName | eval ProcName = lower (ProcName) | inputlookup append=t lookup_processstartup_processlist | stats first(LastSeen) as LastSeen by ProcName | eval LastSeen = round (strptime (LastSeen, "%Y-%m-%dT%H:%M:%S.%Q%z"), 0) | eval TimeDelta=now()-LastSeen | search TimeDelta<31536000 | fields ProcName LastSeen | outputlookup lookup_processstartup_processlist'
    '| pivot uberAgent Process_NetworkTargetPerformance latest(_time) as LastSeen splitrow NetTargetRemoteNameAddress | eval ProcName = lower (NetTargetRemoteNameAddress) | inputlookup append=t lookup_networktargetperformance_targetlist | stats first(LastSeen) as LastSeen by NetTargetRemoteNameAddress | eval LastSeen = round (strptime (LastSeen, "%Y-%m-%dT%H:%M:%S.%Q%z"), 0) | eval TimeDelta=now()-LastSeen | search TimeDelta<31536000 | fields NetTargetRemoteNameAddress LastSeen | outputlookup lookup_networktargetperformance_targetlist'
)

Foreach ($Search in $Searches)
{
    $Body = @{
        search = $Search
        output_mode = 'json'
        earliest = $Earliest
    } 
    Try
    {
        Invoke-RestMethod -Method Post -Uri $Uri -Body $Body
    }
    Catch 
    {
        Write-Error -Message $_
    }
}

#endregion

Please note, the included searches are for uberAgent 5.0.1. They might change in the future, hence always check our KB article first!

Save this script somewhere. Then create and configure the scheduled task. Of course, you can use PowerShell for this. Just customize the variables in the following script to your needs and run it. I decided to run the task weekly on Sunday at 10:00 PM on my Splunk Free server. This aligns perfectly with the Invoke-uberAgentSearches.ps1 scripts’ default time range for the last seven days.

#Requires -RunAsAdministrator
$ScriptPath = 'C:\Scripts\Invoke-uberAgentSearches.ps1'
$WeekDay = 'Sunday'
$Time = '10:00PM'
$TaskName = 'Invoke uberAgent searches'

Try
{
   $Action = New-ScheduledTaskAction -Execute 'PowerShell.exe' -Argument "-NoProfile -WindowStyle Hidden -File `"$ScriptPath`""
   $Trigger = New-ScheduledTaskTrigger -Weekly -DaysOfWeek $WeekDay -At $Time

   Register-ScheduledTask -Action $Action -Trigger $Trigger -TaskName $TaskName -User 'SYSTEM'
}
Catch
{
   Write-Error -Message $_
}

Hint: if your Splunk Free server does not have a valid SSL certificate installed, do not forget to allow communication via http.

Your benefit

The result is an always ready for the job Splunk Free environment for your lab. By the way, this aligns perfectly with our free one-year community edition!

uberAgent’s “Application Startup” dashboard with saved searches on Splunk Free

About uberAgent

The uberAgent product family offers innovative digital employee experience monitoring and endpoint security analytics for Windows and macOS.

uberAgent UXM highlights include detailed information about boot and logon duration, application unresponsiveness detection, network reliability drill-downs, process startup duration, application usage metering, browser performance, web app metrics, and Citrix insights. All these varied aspects of system performance and reliability are smartly brought together in the Experience Score dashboard.

uberAgent ESA excels with a sophisticated Threat Detection Engine, endpoint security & compliance rating, the uAQL query language, detection of risky activity, DNS query monitoring, hash calculation, registry monitoring, and Authenticode signature verification. uberAgent ESA comes with Sysmon and Sigma rule converters, a graphical rule editor, and uses a simple yet powerful query language instead of XML.

About vast limits

vast limits GmbH is the company behind uberAgent, the innovative digital employee experience monitoring and endpoint security analytics product. vast limits’ customer list includes organizations from industries like finance, healthcare, professional services, and education, ranging from medium-sized businesses to global enterprises. vast limits’ network of qualified solution partners ensures best-in-class service and support anywhere in the world.

Comments

Your email address will not be published. Required fields are marked *