01-29-2018 01:46 PM
We have an extensive Splunk infrastructure already, and I'm told that in cases like ours, we can utilize the Data Connector v2.0 VM along with the Splunk Add-in for Infoblox, and that the Reporting Server is not needed
So, I'm looking at the deployment guide for the Data Connector, and there seems to be some information missing.
Deployment Guide doesn't really mention the Splunk Add-In.
Deployment guide doesnlt seem to understand inder clustering. Is it even supported?
I'm not ever sure if we even need the Data Connector or the Splunk Add-in for Infoblox, as we already have some indices built for Infoblox. Basically I wasnt to compare the two solutions.
In our current Splunk implementation we have an index called named-syslog-messages which accounts for approximately 25% of our daily volume in Splunk. The data in this index appear to be the results of queries against our internal, external, and recursive DMZ DNS servers. There is only one sourcetype in this index.We have a number of views, and ~130K RPZ records in a blacklist.
We have another index called infoblox-dhcp. It apperas to contain raw DHCP message types as well as individual lease messages, and DDNS mappings. I'd like to get to a dashboardof sorts that shows subnet utilization in a graphical format, top tens, etc. This index is less than 1% of our typical volume.
I'm not really familiar with the Rporting Server, so I don't know what it's capable of, or even if the Data Connector along with the Splunk Add-In for Infoblox is a reasonable facsimile of it.
Do do know I can't justify running both my current indices AND the Data COnnector, because of the way Splunk is licensed.
02-05-2018 09:24 AM
Hi. Could you shed some lights on the Splunk Add-in? Is it an Infoblox product? Thanks.
Philip Qian | Senior Product Manager, Security | Email: firstname.lastname@example.org
02-05-2018 11:05 AM
The Splunk add-on is build by Splunk and is completely different than Infoblox's own Reporting and Analytics. They use different data models. It sounds like you're already sending and indexing Infoblox syslog data to your non-Infoblox Splunk instance, so the Splunk add-on will only duplicate that. Infoblox Reporting and Analytics differs from the Splunk add-on in that:
- It's delivered in an easy to deploy appliance model.
- It's tightly integrated with the grid and has data that is not avaiable through the syslog based approach. Infoblox also provides documentation on the data model
- Infoblox provides patented DDI specific predictive algorithems.
- Infoblox provides over 100 reports out of the box that span not only the core DDI products, but also the other areas of the Infoblox portfolio (security, network manageement, etc).
- This community, which has well over 50 high value reports and dashboards contributed.
The Data Connector can work with both Infoblox Reporting and Analytics and non-Infoblox Splunk instances, and is used for distributing query log data to both.
Hope that helps!