Array Monitoring on Splunk with PureStorage Unified App and TA

Overview

Over the years we have seen a very good reception for the PureStorage FlashArray App and Add-on for Splunk as well FlashBlade App and Add-on for Splunk.  As those Apps were developed at different times the input configurations, security, UI, performance optimizations were different between them.  Needless to say, the apps were old and hence missing out on the features offered by the latest Purity versions along with the challenge of varying time frames for the subsequent releases.  To address all these a new Unified App and Add-on has been developed that supports both FlashArray and FlashBlade. 

PureStorage Unified App & Add-on Installation

1. Download PureStorage Unified Add-on from splunkbase.splunk.com at https://splunkbase.splunk.com/app/5513/ and PureStorage Unified App at https://splunkbase.splunk.com/app/5514/
   
   
    
2. The Add-on and app can be installed through Splunk web UI using the "Manage Apps" link from the respective Splunk instance(s) or from the command line using the following commands:​​​​

$SPLUNK_HOME/bin/splunk install app $PATH_TO_SPL/TA-purestorage-unified.spl/

$SPLUNK_HOME/bin/splunk install app $PATH_TO_SPL/ps_unified.spl/

3. Alternatively, the users can directly extract the SPL file into $SPLUNK_HOME/etc/apps/ folder on the respective Splunk instance.

PureStorage Unified Add-on Configuration

Perform the following steps to add data inputs from FlashArrays and/or FlashBlades into Splunk.  The sequence is to configure the account detail(s) for an array  (FlashBlade host address, api-token) followed by the data input definitions as the data input requires the account to connect to.  If you have to configure say three FlashArrays, you should be creating three accounts each one with the connection details and credentials, followed by three data inputs for each one of them.

1. Click the “PureStorage Unified TA” under the Apps frame on the left side.
   
   
    
2. Click the Configuration tab under the PureStorage Unified TA page.
   
   
3. Click the Add button on the right side of the page to add a new account.
   
   
    
4. Enter an account name, select the array type (FlashBlade or FlashArray), Array address (in FQDN or in IP address format), API token for the account that would be used to extract the array log data. 
   1. As Splunk has mandated the connection between the Splunk instance and the array to be encrypted and hence there is no more option of disabling the VERIFY_SSL option. 
      1. This means the FlashArray or FlashBlade that you are connecting to should have a commercial SSL certificate installed and the array address should reflect that name.
      2. If you are not using a commercial SSL certificate rather using the self-signed certificate provided by Pure Storage, please make sure the server address matches the "Common Name" of the digital certificate.  If not, generate a new self-signed certificate with the "Common Name" same as the array address  (FQDN or the IP address) and "Valid To" field set with an expiry date for the certificate.
         Please see this article for more details on how to generate a new self-signed certificate for FlashArray or FlashBlade.
         1. Please add this certificate to $SPLUNK_HOME/etc/apps/TA-purestorage-unified/bin/ta_purestorage_unified/aob_py3/certifi/cacert.pem file and $SPLUNK_HOME/etc/apps/TA-purestorage-unified/bin/ta_purestorage_unified/aob_py2/certifi/cacert.pemfile.
             
         2. For adding a certificate on the Splunk Cloud instance, raise a Splunk support ticket.
   2. To get the API token, run the following CLI command on the FlashArray or FlashBlade by connecting over SSH with the account that will be used to connect by the Splunk inputs.
      1. To create the api-token for the very first time

         pureadmin create --api-token
         

      2. To get the existing api-token

         pureadmin list --api-token --expose

         
         
         .       
          
   3. Repeat the above steps (3 & 4) for configuring all your FlashArrays and FlashBlades from which you wanted to extract the log details into Splunk.
      
      
5. Click the Inputs tab to configure a new input for the account that was configured above.
   
   
6. Click the Create New Input button at the top right.
   
   

7. Enter the details for the new input and press Add.

   1. A unique Name for the data input

   2. Interval in seconds.  The suggested interval is 300 seconds but choose your desired interval to extract information from the array.

   3. Select an index where the log data to be stored.

   4. Select the Account that was created earlier which would be used to connect to the Pure array to extract the logs.

   5. Specify the Start Date from which the array log details (like alerts, audits, performance metrics) to be extracted.  If you want to extract all the available performance metrics, specify an earlier Start Date like the date when the array was installed. 
      
         

8. Repeat the above steps (6 & 7) for configuring the inputs for all your FlashArrays and FlashBlades that were configured earlier.
   
   

9. Splunk should start extracting the log data from the array through the python REST API which will be used by the PureStorage Unified App to show detailed dashboards and context-based drill-down capabilities to help monitor various components of FlashArray and FlashBlade.

PureStorage Unified App for Splunk

Click the “PureStorage Unified App For Splunk” under the Apps frame on the left side to invoke the Unified App.

The “Home” page should show the FlashArray and FlashBlade Overview for the arrays that were configured through data inputs.