Businesses want to make data driven decisions using data platforms and artificial intelligence (AI) to extract valuable knowledge to apply to the products and services they use and offer. Most of them rely on specialized data platforms to ingest and analyze all business sources of data in a continuous fashion.
Splunk offers an extensible data platform that supports shared data from any environment to provide all teams in an organization the visibility they need for end-to-end observability, with context, of every interaction and business process.
Correlating Insights data with other data sources in the Splunk data platform leads to better understanding of efficiency, reliability and maintainability, and ultimately assists operations, security risk processes and compliance management. While Insights APIs are available for integrating with third party applications, we hear from users that they need quick, easy and secured solutions, as time is one of their most valuable resources.
In this article, we introduce new integration capabilities of Insights to better combine Red Hat findings in Splunk. The aim is to provide ways for common users to consolidate their operations and management and obtain greater value from combined platforms. The proposed integration is the foundation for additional extensions and custom analysis based on business needs and available data.
Red Hat Insights integration with Splunk
In a recent blog post, we covered capabilities to integrate Insights into your operational workflow. These include querying Insights APIs (see cheatsheet and API documentation), posting to commonly used webhook endpoints, downloading exports via CSV, JSON or PDF files, or using bespoke application integrations. The Insights integration with Splunk falls into this last category.
The connection is established by installing the Red Hat Insights application for Splunk (see 2 on the image above) from the Splunkbase Marketplace (1) and following a configuration wizard (3). The wizard guides the user on the necessary setup steps, which are automated for common usage (4). The application can be installed on either Splunk Enterprise or Splunk Cloud. Full product documentation is available from Installing and configuring Red Hat Insights application for Splunk.
Once the application is deployed and configured, your Splunk instance is ready to receive a stream of Insights events as soon as they get triggered. The application provides dashboards and tables to facilitate the initial exploration of Insights data. It is also possible to access RAW data and build more advanced queries and visualizations using the Splunk search functionality, as you do with any other ingested data sets. The code for the application is open source, and your suggestions and contributions are welcome on its GitHub repository.
Under the hood, the connection between Insights and your Splunk instance makes use of the integrations and notifications services, which posts messages over secured HTTPs to a Splunk HTTP Event Collector (HEC) receiver. Authentication is token-based and all data is stored in a separate index named ‘redhatinsights’. Multiple Red Hat accounts can be configured against the same Splunk instance.
The provided dashboard offers a summary of the latest data collected. It is meant to provide a set of examples to build your own widgets and queries. We focus on Operations and Security, with queries covering Advisor, Drift and Policies triggered events, as well as Vulnerability and Compliance. Provided queries are either on the last 24 hours or the last 30 days. Most of the widgets provide hyperlinks which redirect to a filtered view of the Events table or to Insights for additional details.
The events table regroups all received Insights events. The filters are very efficient to troubleshoot and pinpoint specific events you are trying to isolate, and can be used in combination. All events have hyperlinks and redirect to the corresponding view on Red Hat Insights for more information and remediation when available.
The search functionality is a common Splunk application and exposed as a convenient way to query ingested data. From there, you can perform any queries to analyze your RAW dataset and build bespoke visualizations (e.g. index="redhatinsights" | stats count(timestamp) by event_type in the example below).
Finally, the contact us section provides information about the installed application version, links to product documentation, and ways to contact Red Hat Support.
Getting started and follow-up
At the time of writing, the application is available as Service Preview on the Splunkbase Marketplace. In order to install it on your Splunk instance, simply search for “Red Hat Insights” on the Splunkbase Marketplace and follow the instructions. Your application’s dashboard and table will be populated as soon as Insights forwards events.
We hope you are as excited as we are about the introduction of this new Insights integration with Splunk. Insights data gathering and findings can greatly contribute to the overall operational workflow and management of your organization. With integrations like this, we aim at surfacing proactive recommendations from Insights into other tooling, and complementing your ongoing security or automation initiatives.
We are always looking for additional use cases and welcome any feedback that can help the product grow and respond to your challenges. Feel free to suggest integrations you would like us to address, or a vendor or community we should start collaborating with. Product suggestions can be submitted using the Red Hat Customer Portal feedback form.
About the author
Jerome Marc is a Red Hat Sr. Principal Product Manager with over 15 years of international experience in the software industry spanning product management and product marketing, software lifecycle management, enterprise-level application design and delivery, and solution sales.