How To Integrate a Host Lookup with a Data Watch
Data Watches usually rely on Indexes, Source Types, Sources, and Hosts to properly monitor data, but that can be limiting for some use cases. In some environments, admins may want to only watch a subset of the data belonging to a select few hosts. This information can be stored on Change Management Data Bases (CMDB) or Assets and Identities tables, and can be useful for tracing Splunk data from Index, to Host, to Owner. Data Watch has a lookup integration option to fully capture this use case.
For example, using this functionality, an admin can monitor Network Data by Company subsidiary utilizing a host-subsidiary lookup, without needing to list and update each host in Atlas Monitor.
Integrate a Lookup into a Data Watch
Identify an appropriate Lookup that can be integrated into Atlas Monitor, it should have the following information:
Host Field: The Host Field is the field in the lookup that matches the Splunk Host field. This can be an IP Address or the name of a machine. This field will be used to join the Lookup together with the indexed data.
Filter Field: The Filter Field is the field that the Host Field will be translated to, by methods of the lookup.
After identifying these two fields, create or navigate to a Data Watch and select the Advanced (Lookup) option on Host Filter on the Edit Data Watch modal. Additional fields should appear:
Lookup: Select the Lookup from the dropdown list
Filter Field: This is a list of all columns identified in the selected Lookup. Select the Filter Field identified above in the dropdown list.
Filter Field Values: This is a multi-value input for all field values that should be attributed to this Data Watch. Press enter after entering a filter to add more.
Host Field: This is a list of all columns identified in the selected Lookup. Select the Host Field identified above in the dropdown list.
Fill out the rest of Data Watch as normal and select Apply.
Data Watch Lookup Integration Example
Steven from IT is helping ensure Splunk Dashboards stay up to date for each subdivision of Large Corp. Steven knows that some data coming from the Palo Alto Forwarders belong to the F&A division of Large Corp., but unfortunately it is in a shared index with other subdivisions. Steven doesn't want to have to create monitors for an ever changing list of Hosts that are tied to F&A, especially since IT already has a great Change Management Data Base that links Splunk Hosts to Large Corp. subdivisions. Luckily for Steven, Atlas Monitor can leverage the CMDB to make monitoring easy!
Large Corp's CMDB, administrative_identity_lookup.csv, is structured like this:
| managedBy | notes | date | identity |
|---|---|---|---|
| Security | n/a | 2020/03/23 | 34.24.12.22 |
| Security | seasonal | 2020/03/23 | maindataselector |
| Finance | n/a | 2021/05/29 | 34.24.13.22 |
| Finance | n/a | 2020/03/21 | 34.24.84.22 |
| Accounting | monthly | 2022/08/23 | accountingSuperHost |
By creating a Data Watch like below, Steven is now tracking data from the palo alto index that is coming from the 3 hosts that belong to Finance and Accounting. This is incredibly useful since if the CMDB is updated, the Data Watch will also update automatically.
