Create Beautiful Availability Dashboards In Splunk with Solarwinds Data

SolarWinds is very rich in data. Here is a way to get data from SolarWinds into Splunk. I’m using a Syslog event in a Node Down Trigger. I created a Device Availability Dashboard by using Splunk. 

Here is the example CONTOSO Node Availability Dashboard :

2020-05-15_16-09-46.png

Step 1) You will need to have Solarwinds NPM installed.

Step 2) You will need to have Splunk installed.

Step 2.1) Install the Splunk calendar heat map.

Step 2.2) Create a new dashboard and call it "Contoso Node Availability". Select Edit Dashboard. Select Source. Copy and paste XML code attached. Select save dashboard.

Step 3) Configure your Splunk with a custom index. I call this index "Solarwinds". I created a syslog data input with a TCP port 532. You can use your port such as default syslog 514 UDP.

Step 4) Enabled your "Node is down" Alert in Solarwinds NPM Orion. You can do this by going to "Manage Alerts" section. 

Step 5) Add a Trigger Action to your Alert. Choose Send A Syslog Message. Provide the Splunk Syslog Forwarder IP and Port. Make sure that you the exact message tags so that the Splunk dashboard is able to find the indexed data.

2020-05-15_16-14-53.png

Step 6) Add a Reset Action to your Alert. Choose Send A Syslog Message. Provide the Splunk Syslog Forwarder IP and Port. Make sure that you the exact message tags so that the Splunk dashboard is able to find the indexed data.

2020-05-15_16-15-56.png

Step 7) You can choose to test your alert with Solarwinds or reboot the device you are monitoring to trigger the alert. I configure my alerts to send email for both trigger and reset to make sure that i know that the alert is working as expected. 

Step You can run the following SPL search to see if there is any data being collected. If you have successfully returned events you will now are able to run the full dashboard. 

2020-05-15_16-17-44.png

Contoso Node Availability Source Code

<form theme="dark">
  <label>Contoso Node Availability</label>
  <fieldset submitButton="true" autoRun="true">
    <input type="time" token="tok.time">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Availability 12 Hours</title>
      <viz type="calendar_heatmap_app.calendar_heatmap">
        <search>
          <query>index=solarwinds alert_name="Node is down"  | transaction node_name startswith="Trigger" endswith="Reset" | timechart span=1m sum(closed_txn)</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="calendar_heatmap_app.calendar_heatmap.cellPadding">2</option>
        <option name="calendar_heatmap_app.calendar_heatmap.cellSize">10</option>
        <option name="calendar_heatmap_app.calendar_heatmap.cellStyle">circle</option>
        <option name="calendar_heatmap_app.calendar_heatmap.legendType">uniform</option>
        <option name="calendar_heatmap_app.calendar_heatmap.maxColor">#dc4e41</option>
        <option name="calendar_heatmap_app.calendar_heatmap.minColor">#f8be34</option>
        <option name="calendar_heatmap_app.calendar_heatmap.numOfBins">3</option>
        <option name="calendar_heatmap_app.calendar_heatmap.showLegend">1</option>
        <option name="calendar_heatmap_app.calendar_heatmap.splitMonths">1</option>
        <option name="drilldown">none</option>
        <option name="height">200</option>
        <option name="refresh.display">progressbar</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </viz>
    </panel>
  </row>
  <row>
    <panel>
      <title>Availability 14 Days</title>
      <viz type="calendar_heatmap_app.calendar_heatmap">
        <search>
          <query>index=solarwinds alert_name="Node is down"  | transaction node_name startswith="Trigger" endswith="Reset" | timechart span=1h sum(closed_txn)</query>
          <earliest>-14d@d</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="calendar_heatmap_app.calendar_heatmap.cellPadding">2</option>
        <option name="calendar_heatmap_app.calendar_heatmap.cellSize">10</option>
        <option name="calendar_heatmap_app.calendar_heatmap.cellStyle">circle</option>
        <option name="calendar_heatmap_app.calendar_heatmap.legendType">uniform</option>
        <option name="calendar_heatmap_app.calendar_heatmap.maxColor">#dc4e41</option>
        <option name="calendar_heatmap_app.calendar_heatmap.minColor">#f8be34</option>
        <option name="calendar_heatmap_app.calendar_heatmap.numOfBins">3</option>
        <option name="calendar_heatmap_app.calendar_heatmap.showLegend">1</option>
        <option name="calendar_heatmap_app.calendar_heatmap.splitMonths">1</option>
        <option name="drilldown">none</option>
        <option name="height">164</option>
        <option name="refresh.display">progressbar</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </viz>
    </panel>
  </row>
  <row>
    <panel>
      <title>Availability 12 Months</title>
      <viz type="calendar_heatmap_app.calendar_heatmap">
        <search>
          <query>index=solarwinds alert_name="Node is down"  | transaction node_name startswith="Trigger" endswith="Reset" | timechart span=1d sum(closed_txn)</query>
          <earliest>-12mon</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="calendar_heatmap_app.calendar_heatmap.cellPadding">2</option>
        <option name="calendar_heatmap_app.calendar_heatmap.cellSize">10</option>
        <option name="calendar_heatmap_app.calendar_heatmap.cellStyle">circle</option>
        <option name="calendar_heatmap_app.calendar_heatmap.legendType">uniform</option>
        <option name="calendar_heatmap_app.calendar_heatmap.maxColor">#dc4e41</option>
        <option name="calendar_heatmap_app.calendar_heatmap.minColor">#f8be34</option>
        <option name="calendar_heatmap_app.calendar_heatmap.numOfBins">3</option>
        <option name="calendar_heatmap_app.calendar_heatmap.showLegend">1</option>
        <option name="calendar_heatmap_app.calendar_heatmap.splitMonths">1</option>
        <option name="drilldown">none</option>
        <option name="height">201</option>
        <option name="refresh.display">progressbar</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </viz>
    </panel>
  </row>
  <row>
    <panel>
      <title>Availability Top 24 Last 30 Days</title>
      <chart>
        <search>
          <query>index=solarwinds alert_name="Node is down"  | transaction node_name startswith="Trigger" endswith="Reset"  | stats count(node_name) AS Down by node_name | sort -Down limit=25</query>
          <earliest>-30d@d</earliest>
          <latest>now</latest>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </chart>
    </panel>
  </row>
</form>

#security #splunk #solarwinds

https://www.linkedin.com/in/canalesj/ 

https://twitter.com/Canalesjj

attachments.zip
  • This kinda cracks me up... actually it looks great and good job!  We do use both as well.  I'm finding SEM is much more cost effective than splunk has been though.  The bill from splunk seems to have no end.  It's sorta ironic in a way.  Our enterprise security folks are looking for ways to now reduce the amount of logs going into splunk because it's quickly becoming NOT cost effective.

    Bill

  • ^ Same, half of my team are full time Splunk SME's, plus a field of forwarders and indexers and such that we maintain, and *then* we actually start to pay for the licensing. Leadership is desperately feeling around for a competitor that can bring costs down and a few promising things have popped up in the last 3 months, but nobody seems to be ready to abandon the existing investment in Splunk to basically and recreate the same thing with another platform unless the cost savings are really dramatic.

    This dashboard looks pretty solid as well, but there is the question of why pay to send the same data into Splunk when you can do very similarly visualizations directly in Orion, 

    https://thwack.solarwinds.com/t5/NPM-Documents/Using-Your-Custom-HTML-Resource-To-Properly-Display-SWQL-Query/tac-p/529221