Improving BigFix integration with Splunk

rfjohns1 · November 23, 2019, 12:16am

I found a problem with the Dashboard Pane “Action Result Count By OS (last 30 days)”

The below query returns no results

bigfix_index sourcetype=bigfix:actions | fields stopper time_stopped action_id nt_host action_name start_time end_time issuer status | dedup action_id, nt_host | join nt_host [ search bigfix_index (sourcetype=bigfix:asset:list OR bigfix:clients) | dedup nt_host | fields nt_host operating_system ]| chart count by operating_system

I modified the query to the below and it now returns results. Removed the “OR” condition on the sourcetype to be just bigfix:clients

bigfix_index sourcetype=bigfix:actions | fields stopper time_stopped action_id nt_host action_name start_time end_time issuer status | dedup action_id, nt_host | join nt_host [ search bigfix_index sourcetype=bigfix:clients | dedup nt_host | fields nt_host operating_system ]| chart count by operating_system

jmaple · November 23, 2019, 12:58am

I appreciate the feedback.

If you have more, I urge you to send me a direct message or submit an issue on the GitHub page.

Meydey · December 9, 2019, 8:23pm

Hey Jimmy. I submitted a request to my Splunk team to set this up and they came back to me with this:

“The Bigfix app appears to have been built with a Django dependency for the input and configuration views of this app. . .Django is not supported from Splunk version 7.3 forward. I am unable to open the input and configuration views of this app on Splunk 7.3.2. We are upgrading to Splunk 7.3.2 at the first of the year.”

Can you validate?

jmaple · December 9, 2019, 8:32pm

The add-on was built using the Splunk Add-on Builder and I haven’t had a chance to test on Splunk 7.3 since it’s release. I will have to get back to you on that.

jmaple · March 19, 2020, 11:38pm

All,

I am pleased to announce that thanks to the COVID-19 lockdown and working from home, I made time to complete the scalable version of the BigFix TA. Version 2.0.0 is available.

I would recommend anyone who used the previous version of the TA do a clean installation of the newer version to ensure there aren’t remnants of the older version that could give you trouble. If you run into any issues or have questions, feel free to post them here or open an issue on GitHub.

Happy Splunking!

jmaple · June 10, 2020, 2:49pm

All,

After many many weeks, I finally took some time to update the add-on to be compatible with Python 3 which allows for installation and use of the add-on on Splunk Enterprise 8.0+. I encourage any Splunk users to download and collect information using this add-on because, honestly, I need actual QA on large environments so I know if adjustments need to be made to either the Python, the relevance, or both.

I also encourage any feedback or recommendations on new inputs or other information you would want to get from a BigFix deployment.

TrevorHikes · September 10, 2020, 6:02pm

Hi, how well does BigFix TA scale now?

jmaple · September 10, 2020, 6:11pm

@TrevorHikes It should scale better now in larger environments but I don’t have any feedback on users who have implemented the current version. On the same token, I haven’t heard anything negative either so I don’t have a firm answer at the moment.

TrevorHikes · September 15, 2020, 7:05pm

Jimmy, is access to a console account mandaroty or is there a way to injest raw comonent logs locally?

jmaple · September 15, 2020, 7:13pm

The raw component logs are ingestible using a universal forwarder (a sample inputs.conf is included in the TA) but the modular inputs of the TA are providing more information than the local client logs do. The local logs show performance of the clients themselves but not client information which is what the moduar imputs are providing.