Create Token
Open Settings -> Tokens and press New Token
Fill out the questions and press "Create".
- User: uxmapp_wsgi
- Audience: Export of UXM data
- Expiry date: +3y
Copy the generated token code and save it, needs to be added to the custom powershell.
Ensure REST service port is accessible
By default Splunk hosts it's REST API on port 8089, this port can be opened up or a reverse proxy can be setup to forward the data to the local port.
UXM Cloud: Please contact us to get the reverse proxy set
NGINX reverse proxy example that only expose the searches from uxmapp:
location /servicesNS/nobody/uxmapp/search/jobs/export { proxy_pass_request_headers on; proxy_set_header x-real-IP $remote_addr; proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for; proxy_set_header host $host; proxy_pass https://10.132.0.66:8089/servicesNS/nobody/uxmapp/search/jobs/export; }
Create report
Goto Settings -> "Searches, reports and alerts", Create new report or enable one of the existing "Export - *" reports.
Example SPL to query endpoint nodes and scores, union has been used to merge KVStore and Metric Store data. (join is avoided because it's limited to 50.000 rows)
| union [| inputlookup ux_nodes_lookup | fields *] [| mstats latest(uxm.endpoint.score.avg) AS score_avg, latest(uxm.endpoint.score.latency) AS score_latency, latest(uxm.endpoint.score.processor_time) AS score_cpu, latest(uxm.endpoint.score.memory_usage) AS score_memory_usage, latest(uxm.endpoint.score.disk_os_usage) AS score_disk_os_usage, latest(uxm.endpoint.score.logon_duration) AS score_logon_duration WHERE `getIndexMetrics` BY lookup_key ] | stats last(active_user) AS "active_user",last(active_username) AS "active_username",last(batteries) AS "batteries",last(battery_device_name) AS "battery_device_name",last(battery_manufacturer_name) AS "battery_manufacturer_name",last(battery_serial_number) AS "battery_serial_number",last(battery_wear_level) AS "battery_wear_level",last(browsers) AS "browsers",last(chassis_sku_number) AS "chassis_sku_number",last(city) AS "city",last(connection_type) AS "connection_type",last(country) AS "country",last(country_name) AS "country_name",last(cpu_clock_frequency) AS "cpu_clock_frequency",last(cpu_cores) AS "cpu_cores",last(cpu_generation) AS "cpu_generation",last(cpu_logical_processors) AS "cpu_logical_processors",last(cpu_model) AS "cpu_model",last(cpu_sockets) AS "cpu_sockets",last(dns) AS "dns",last(domain) AS "domain",last(enabled) AS "enabled",last(hostname) AS "hostname",last(identifying_number) AS "identifying_number",last(internal_ip) AS "internal_ip",last(internal_mac_address) AS "internal_mac_address",last(is_64bit) AS "is_64bit",last(last_boottime) AS "last_boottime",last(last_logon) AS "last_logon",last(last_registration) AS "last_registration",last(location) AS "location",last(log_files_requested) AS "log_files_requested",last(machine_uuid) AS "machine_uuid",last(manufacturer) AS "manufacturer",last(memory_mb) AS "memory_mb",last(model) AS "model",last(os) AS "os",last(os_codename) AS "os_codename",last(os_edition) AS "os_edition",last(os_service_pack) AS "os_service_pack",last(os_version) AS "os_version",last(powerplan) AS "powerplan",last(powerplan_description) AS "powerplan_description",last(powerplan_instance_id) AS "powerplan_instance_id",last(product_caption) AS "product_caption",last(product_name) AS "product_name",last(product_uuid) AS "product_uuid",last(product_version) AS "product_version",last(proxy) AS "proxy",last(public_ip) AS "public_ip",last(release_id) AS "release_id",last(tags) AS "tags",last(type) AS "type",last(vendor) AS "vendor",last(version) AS "version",last(warranty_end) AS "warranty_end",last(warranty_start) AS warranty_start, avg(score_avg) AS score_avg, avg(score_cpu) AS score_cpu, avg(score_memory_usage) AS score_memory_usage, avg(score_disk_os_usage) AS score_disk_os_usage, avg(score_logon_duration) AS score_logon_duration by lookup_key | fillnull value=10 score_avg
Powershell example to fetch data
Create file export_endpoint_info.ps1 and add the following code:
Update values:
- server: Server to query data from
- searchName: Saved search to execute and return data from.
- token: Token created in the begining of this guide.
# This will allow for self-signed SSL certs to work [System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true } [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 $server = "customername.uxmapp.com" $searchName = "Export - Endpoint nodes" $appName = "uxmapp" $token = "eyJraWQ...OYmg" $headers = @{ Authorization="Bearer $token" } $url = "https://${server}/servicesNS/nobody/$appName/search/jobs/export" $search = "| savedsearch ""$searchName""" Write-Host "Fetching data from $url" $body = @{ search = $search output_mode = "csv" # json or csv earliest_time = "-7d@d" latest_time = "now" } Invoke-RestMethod -ContentType application/json -Method Post -Uri $url -Body $body -Headers $headers -TimeoutSec 60