Skip to main content
Pure Technical Services

Array Monitoring on Splunk with PureStorage Unified App and TA

Currently viewing public documentation. Please login to access the full scope of documentation.

Overview

Over the years we have seen a very good reception for the PureStorage FlashArray App and Add-on for Splunk as well FlashBlade App and Add-on for Splunk.  As those Apps were developed at different times the input configurations, security, UI, performance optimizations were different between them.  Needless to say, the apps were old and hence missing out on the features offered by the latest Purity versions along with the challenge of varying time frames for the subsequent releases.  To address all these a new Unified App and Add-on has been developed that supports both FlashArray and FlashBlade. 

What is new in the Unified App and Add-on?

  • Combined dashboards for FlashArray and FlashBlade in a single app
    • New dashboards for FlashArray
      • Pod Inventory
      • Volume Group
    • New dashboards for FlashBlade
      • Audits
         
  • The new App and Add-on support Splunk versions from 7.3 to 8.1+ and have Python3 as the default interpreter
  • The Unified Add-on supports FlashArray REST API 1.13 to 1.18 (FA//Purity Version 5.0.0 and above)
  • The Unified Add-on supports FlashBlade REST API 1.0 to 1.11

Topology

The PureStorage Unified App has been distributed in two parts.

  1. The PureStorage Unified Add-on app, which fetches the logs/metrics from FlashArray(s) and/or FlashBlade(s).
  2. The PureStorage Unified App for visualizing the fetched data from FlashArray and FlashBlades.

The app can be set up in two ways:

1) Standalone Mode

Install the Add-on and the app on the same Splunk instance.

2) Distributed Environment
Search Head
  • Install both the Unified App and Add-on.
  • No need to configure the Add-on here.
Indexer
  • If you want to use a custom index to store the data collected from the FlashArray and FlashBlade, define it here.
  • No need to install the App or the Add-on here.
Heavy Forwarder
  • Install and configure the Add-on.  (This instance should have network access to the FlashArray and/or FlashBlade)
  • Do not install the Unified app here.

Note: As the PureStorage Unified Add-on (TA) requires the Splunk Enterprise software, it cannot be installed on the Universal Forwarder.

PureStorage Unified App & Add-on Installation

  1. Download PureStorage Unified Add-on from splunkbase.splunk.com at https://splunkbase.splunk.com/app/5513/ and PureStorage Unified App at https://splunkbase.splunk.com/app/5514/

    clipboard_ea8bbce091545d0ca1ee5af9254d383d6.png
     
  2. The Add-on and app can be installed through Splunk web UI using the "Manage Apps" link from the respective Splunk instance(s) or from the command line using the following commands:​​​​
$SPLUNK_HOME/bin/splunk install app $PATH_TO_SPL/TA-purestorage-unified.spl/
$SPLUNK_HOME/bin/splunk install app $PATH_TO_SPL/ps_unified.spl/
  1. Alternatively, the users can directly extract the SPL file into $SPLUNK_HOME/etc/apps/ folder on the respective Splunk instance.

PureStorage Unified Add-on Configuration

Perform the following steps to add data inputs from FlashArrays and/or FlashBlades into Splunk.  The sequence is to configure the account detail(s) for an array  (FlashBlade host address, api-token) followed by the data input definitions as the data input requires the account to connect to.  If you have to configure say three FlashArrays, you should be creating three accounts each one with the connection details and credentials, followed by three data inputs for each one of them.

  1. Click the “PureStorage Unified TA” under the Apps frame on the left side.

    clipboard_e78cd298e4e135db50e4fd375c2ece421.png
     
  2. Click the Configuration tab under the PureStorage Unified TA page.

    clipboard_e7b75b1d2790843da4bbefddd03dfd360.png
  3. Click the Add button on the right side of the page to add a new account.

    clipboard_e2bf0002d25d43099ecd98f858ce9418f.png
     
  4. Enter an account name, select the array type (FlashBlade or FlashArray), Array address (in FQDN or in IP address format), API token for the account that would be used to extract the array log data. 
    1. As Splunk has mandated the connection between the Splunk instance and the array to be encrypted and hence there is no more option of disabling the VERIFY_SSL option. 
      1. This means the FlashArray or FlashBlade that you are connecting to should have a commercial SSL certificate installed and the array address should reflect that name.
      2. If you are not using a commercial SSL certificate rather using the self-signed certificate provided by Pure Storage, please make sure the server address matches the "Common Name" of the digital certificate.  If not, generate a new self-signed certificate with the "Common Name" same as the array address  (FQDN or the IP address) and "Valid To" field set with an expiry date for the certificate.
        Please see this article for more details on how to generate a new self-signed certificate for FlashArray or FlashBlade.
        1. Please add this certificate to $SPLUNK_HOME/etc/apps/TA-purestorage-unified/bin/ta_purestorage_unified/aob_py3/certifi/cacert.pem file and $SPLUNK_HOME/etc/apps/TA-purestorage-unified/bin/ta_purestorage_unified/aob_py2/certifi/cacert.pemfile.
           
        2. For adding a certificate on the Splunk Cloud instance, raise a Splunk support ticket.
    2. To get the API token, run the following CLI command on the FlashArray or FlashBlade by connecting over SSH with the account that will be used to connect by the Splunk inputs.
      1. To create the api-token for the very first time
        pureadmin create --api-token
        
      2. To get the existing api-token
        pureadmin list --api-token --expose


        clipboard_e2cf64aa21ae233e9dd55b5114efddb2b.png.       clipboard_e68594b21cb0a64c77ffa04e8019a795a.png
         
    3. Repeat the above steps (3 & 4) for configuring all your FlashArrays and FlashBlades from which you wanted to extract the log details into Splunk.

      clipboard_ee69f47f5ff4d64234496656d32d82f2b.png
  5. Click the Inputs tab to configure a new input for the account that was configured above.

    clipboard_e854610f8fc1dbedbd24e2746771f8af9.png
  6. Click the Create New Input button at the top right.

    clipboard_e864f3e2330c374c5938c393f48cf77ed.png
  7. Enter the details for the new input and press Add.

    1. A unique Name for the data input

    2. Interval in seconds.  The suggested interval is 300 seconds but choose your desired interval to extract information from the array.

    3. Select an index where the log data to be stored.

    4. Select the Account that was created earlier which would be used to connect to the Pure array to extract the logs.

    5. Specify the Start Date from which the array log details (like alerts, audits, performance metrics) to be extracted.  If you want to extract all the available performance metrics, specify an earlier Start Date like the date when the array was installed. 

      clipboard_e312a59ce2fdb9412b59bf71999c66006.png   clipboard_eb35513e3da116ebaadef181c49937e11.png

  8. Repeat the above steps (6 & 7) for configuring the inputs for all your FlashArrays and FlashBlades that were configured earlier.

    clipboard_e7ffa30a3a5a6eecccad5c937832e1f19.png

  9. Splunk should start extracting the log data from the array through the python REST API which will be used by the PureStorage Unified App to show detailed dashboards and context-based drill-down capabilities to help monitor various components of FlashArray and FlashBlade.

PureStorage Unified App for Splunk

Click the “PureStorage Unified App For Splunk” under the Apps frame on the left side to invoke the Unified App.

clipboard_e26b6c5befdd6c78a1680f3d3905ea1fa.png

The “Home” page should show the FlashArray and FlashBlade Overview for the arrays that were configured through data inputs. 

clipboard_e65415db421fd3b3412d9dc33795c68be.png  clipboard_ead0b760246979d5b2625a4e0d10a49a3.png

clipboard_ef59c51abd3fc709b9265680c09d9034e.png clipboard_e3d7c9a648968a9591a23288ba47010ca.png