Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
587 lines (492 sloc) 21.1 KB

Quick Start Guide: Rubrik Add-On for Splunk

Introduction to the Rubrik Add-On for Splunk

Rubrik’s API first architecture allows for integration with a wide array of monitoring and visibility tools. This quick start guide will provide everything needed to begin streaming metrics from Rubrik CDM and Polaris into Splunk, allowing you to consume dashboards, alerts, and analytics in an easy to use web interface. Data is ingested by Splunk via REST API and analyzed by the Splunk platform, presenting the following information:

  • Event data - security, replication, backup, recovery, archive and more
  • Capacity statistics and trending
  • Backup and recovery histories and trending
  • Ransomware detection events via Polaris Radar

The Rubrik Add-On for Splunk is comprised of two pieces: the Rubrik Splunk Add-On, available on Splunkbase, and the Rubrik Splunk Application, also available on Splunkbase. The add-on performs the heavy lifting of communicating with the Rubrik REST API endpoint to gather metrics, while the application contains the dashboards and other logic used for visualization in Splunk.

Installing the Rubrik Add-On for Splunk

This section details the steps required to install all necessary components for the Rubrik Add-On for Splunk.

Prerequisites

Installing the Rubrik Splunk Add-On

Search for the Rubrik Splunk Add-On by clicking on AppsFind More Apps in your Splunk GUI, or browse to http://<Your Splunk Server>:8000/en-US/manager/system/appsremote. Perform a search for “Rubrik”, and the Rubrik Splunk Add-On will be displayed in the results. Click ‘Install’, and complete the displayed dialog.

After installation is complete, you will be prompted to restart your Splunk server. Click Restart Now or Restart Later depending on your preference. Continue with the installation steps once the restart is complete.

After logging back into the Splunk server, you will see the Rubrik Splunk Add-On listed in the Apps menu.

Installing the Rubrik Splunk Application

Search for the Rubrik Splunk Add-On by clicking on AppsFind More Apps in your Splunk GUI, or browse to http://<Your Splunk Server>:8000/en-US/manager/system/appsremote. Perform a search for “Rubrik”, and the Rubrik Splunk Application will be displayed in the results. Click ‘Install’, and complete the displayed dialog.

After installation is complete, you will be prompted to restart your Splunk server. Click Restart Now or Restart Later depending on your preference. Continue with the installation steps once the restart is complete.

After logging back into the Splunk server, you will see the Rubrik Splunk Application listed in the Apps menu.

Configuration

This section details the steps required to configure all necessary components for the Rubrik Add-On for Splunk.

Configure Monitoring for Cloud Data Management

The next step is to configure credentials for your Rubrik CDM cluster(s). Click on AppsRubrik Splunk Add-On. Click on Configuration, then click Add.

This will display the Add Account dialog. Provide an account name, username and password for Splunk to connect to your CDM cluster via REST API. Repeat this step for each cluster you would like to monitor. The value you provide for Account Name will be used to identify each cluster in dashboards. As an example, if you are monitoring two clusters, you could use Cluster_A and Cluster_B for the account names.

Note: Account name must start with a letter and be followed by alphanumeric characters or underscores.

After adding all necessary accounts, click on the Logging tab and verify that the log level is set to provide the desired amount of detail. INFO is the default selection, and should be adequate for most use cases.

Creating Inputs

Inputs specify data that will be gathered from the Rubrik REST API endpoint. You will create four new inputs via the Splunk GUI. From within the Rubrik Splunk Add-On, click Inputs, then Create New Input. The dropdown will display a list of all possible input types. Create inputs based on the values below.

Note:​ If you are adding multiple Rubrik clusters, then it is a good idea to include a short version of the cluster name in the Name field, in this case, replace rubrik with the short name of your cluster.
Note:​ It is a good idea to use a floating IP address for the Rubrik Node value. This will ensure that in the case of a node being unavailable, the data points can still be gathered. Instructions on setting up floating IPs can be found in the Rubrik User Guide, which is available on the Rubrik Support Portal.
Note:​ For each input you are able to choose to validate SSL certificates for the Rubrik cluster. This is disabled by default, but the 'Verify SSL Certificate' box can be checked on each input to enable this.
Input Type Rubrik - Runway remaining
Name rubrik_runway_remaining
Interval 3600
Index main
Global Account <Account Name defined in previous section>
Rubrik Node <FQDN or floating IP>
Input Type Rubrik - Storage Summary
Name rubrik_storage_summary
Interval 600
Index main
Global Account <Account Name defined in previous section>
Rubrik Node <FQDN or floating IP>
Input Type Rubrik - Cluster IO Stats
Name rubrik_cluster_io_stats
Interval 60
Index main
Global Account <Account Name defined in previous section>
Rubrik Node <FQDN or floating IP>
Input Type Rubrik - Event Feed
Name rubrik_event_feed
Interval 300
Index main
Global Account <Account Name defined in previous section>
Rubrik Node <FQDN or floating IP>
Input Type Rubrik - Archive Location Bandwidth
Name rubrik_archive_location_bandwidth
Interval 840
Index main
Global Account <Account Name defined in previous section>
Rubrik Node <FQDN or floating IP>
Input Type Rubrik - Archive Location Usage
Name rubrik_archive_location_usage
Interval 3600
Index main
Global Account <Account Name defined in previous section>
Rubrik Node <FQDN or floating IP>

Below is an example of what your Inputs screen would look like if you have two clusters monitored by Splunk.

Creating Datasets

The Splunk Datasets Add-On can be used to create new tables from gathered data. In this scenario, five new datasets will be created to be used by the predefined dashboards. Install this add-on before continuing if it is not already present.

You will use the search strings below to create each dataset. To create a new dataset, click on AppsRubrik, then Create New Table Dataset.

Click on Search (Advanced), paste in the search string, and click the green search button. This will display a list of available fields along with search results. Select the fields specified with the search string and click Done. Note that some fields, like _time and _raw, may be auto-selected for you. Click Done, and a preview of the dataset will be displayed. Click Save As, input the table title and table ID, and click Save. Below is an example of creating the Rubrik - Runway Remaining dataset.

1. Perform a search using the Search String, select the desired fields, and click Done.

2. Preview the dataset and click Save As.

3. Provide the Table Title and Table ID for the dataset and click Save.

4. Click Done.

Use these values to create the five needed datasets based on the instructions above:

Table Title Rubrik - Backup Job Events
Search String (index="main") (sourcetype="rubrik:eventfeed") | where eventType="Backup" | eval _time = strptime(time, "%a %b %d %H:%M:%S %Z %Y") | dedup id
Table ID rubrik_dataset_backup_job_events
Fields _time
clusterName
eventStatus
locationName
message
objectName
objectType
Table Title Rubrik - Runway Remaining
Search String (index="main") (sourcetype="rubrik:runwayremaining")
Table ID rubrik_dataset_runway_remaining
Fields _time
clusterName
daysRemaining
Table Title Rubrik - Security Audit Events
Search String (index="main") (sourcetype="rubrik:eventfeed") | where eventType="Audit" | eval _time = strptime(time, "%a %b %d %H:%M:%S %Z %Y")
Table ID rubrik_dataset_security_audit_events
Fields _time
clusterName
eventStatus
eventType
message
username
hostname
Table Title Rubrik - Storage Summary
Search String (index="main") (sourcetype="rubrik:storagesummary")
Table ID rubrik_dataset_storage_summary
Fields _time
available
clusterName
liveMount
miscellaneous
snapshot
total
used
Table Title Rubrik - Cluster IO Stats
Search String (index="main") (sourcetype="rubrik:clusteriostats") | eval _time = strptime(time, "%Y-%m-%dT%H:%M:%S.%f%Z")
Table ID rubrik_dataset_cluster_io_stats
Fields _time
clusterName
readBytePerSecond
readsPerSecond
writeBytePerSecond
writesPerSecond
Table Title Rubrik - Replication Events
Search String (index="main") (sourcetype="rubrik:eventfeed") | where eventType="Replication" | eval _time = strptime(time, "%a %b %d %H:%M:%S %Z %Y") | dedup id
Table ID rubrik_dataset_replication_events
Fields _time
clusterName
eventStatus
message
objectId
objectName
objectType
Table Title Rubrik - Archive Events
Search String (index="main") (sourcetype="rubrik:eventfeed") | where eventType="Archive" | eval _time = strptime(time, "%a %b %d %H:%M:%S %Z %Y") | dedup id
Table ID rubrik_dataset_archive_events
Fields _time
clusterName
eventStatus
message
objectId
objectName
objectType
Table Title Rubrik - Recovery Events
Search String (index="main") (sourcetype="rubrik:eventfeed") | where eventType="Recovery" | eval _time = strptime(time, "%a %b %d %H:%M:%S %Z %Y") | dedup id
Table ID rubrik_dataset_recovery_events
Fields _time
clusterName
eventStatus
message
objectId
objectName
objectType
username
Table Title Rubrik - Archive Bandwidth Usage
Search String (index="main") (sourcetype="rubrik:archivebandwidth") | eval _time = strptime(time, "%Y-%m-%dT%H:%M:%S.%f%Z")
Table ID rubrik_dataset_archive_bandwidth_usage
Fields _time
clusterName
locationName
type
value
Table Title Rubrik - Archive Location Usage
Search String (index="main") (sourcetype="rubrik:archiveusage")
Table ID rubrik_dataset_archive_usage
Fields _time
clusterName
dataArchived
dataDownloaded
locationName
numFilesetsArchived
numHypervVmsArchived
numLinuxFilesetsArchived
numManagedVolumesArchived
numMssqlDbsArchived
numNutanixVmsArchived
numShareFilesetsArchived
numStorageArrayVolumeGroupsArchived
numVMsArchived
numWindowsVolumeGroupsArchived

Configure Monitoring for Polaris

Configuring monitoring for Polaris is very similar to CDM. If you skipped the CDM section, take a moment to review it so you are familiar with the concepts. To configure credentials for Polaris, click on AppsRubrik Splunk Add-On. Click on Configuration, then click Add. Supply credentials with permissions to access Polaris.

Creating Input for Polaris

You will create one new input for Polaris. From within the Rubrik Splunk Add-On, click Inputs, then Create New Input, then Polaris - Radar Anomales.

Use these values to configure the input:

Input Type Polaris - Radar Anomalies
Name polaris_radar_anomalies
Interval 900
Index main
Global Account <Polaris Account Name>
Polaris URL <your_polaris_url>.my.rubrik.com

Upgrading the Rubrik Add-On for Splunk

Upgrades for the Rubrik Splunk Add-On can be performed directly through the Splunk GUI by clicking on AppsManage Apps, and clicking Update for the Rubrik Splunk Add-On. Upgrades for the Rubrik Splunk Application will be available via the same method. Review the inputs and datasets section above, comparing them against the current configuration to identify changes in fields, queries, and new datasets and inputs.

Usage

There are five dashboards included with the Rubrik Add-On for Splunk:

  • Rubrik - Capacity Dashboard: Displays capacity and throughput statistics for the cluster

  • Rubrik - Job History Dashboard: Displays 24 hours of backup history, including successful and failed job statistics, object type breakdown, and failure logs

  • Rubrik - Security Dashboard: Displays 24 hours of login information, top 10 logins my username and login count, and top 10 failed logins

  • Rubrik - Recovery History Dashboard: Displays 24 hours of recovery information for the selected cluster

  • Rubrik - Archive and Replication Dashboard: Displays 24 hours of information around arcival and replication from the selected cluster

To view dashboards, browse to AppsRubrik, and click on Dashboards. Click on the desired dashboard, and select a cluster from the Cluster Name dashboard. The dashboard will populate with data that Splunk has gathered. Below is an example of the Rubrik - Capacity Dashboard.

The table below show the default timeframe for the Rubrik - Capacity Dashboard components. All other dashboards components show 24 hours of data.

Widget Timeframe
Capacity Available Latest data
Capacity Available - Percentage Last 24 hours
Runway Remaining - Days Last 24 hours
Runway Remaining Last 90 days
Cluster Throughput - IOPS Last 24 hours
Cluster Throughput - Bytes per Second Last 24 hours

Setting a Default Rubrik Cluster for Dashboards

The bundled dashboards include a dropdown to select the cluster for which to display gathered metrics. By default, this dropdown will be blank. To set a default value, follow these steps:

Browse to the dashboard you wish to configure, and click the Edit button.

This will open the Edit Dashboard page. Click the pencil icon above the Cluster Name dropdown. In the displayed dialog, choose the desired default cluster from the Default dropdown in the Token Options section, then click Apply. Click Save on the Edit Dashboard page to save your changes.

Note: The list populating the Default dropdown may take some time to populate after new inputs are added to Splunk.

Check the GitHub repo for more information on the Rubrik Add-On for Splunk.

Additional Reading

You can’t perform that action at this time.