TrackMe - Splunk Remote Accounts Status Overview majorValue | rangeValue(majorColorEditorConfig)" }, "title": "# Successfully connected Remote Accounts", "type": "splunk.singlevalue" }, "viz_FUEI8OpS": { "options": { "preserveAspectRatio": true, "src": "../../static/app/trackme/icons/trackme.png" }, "type": "splunk.image" }, "viz_K39k1shE": { "context": { "majorColorEditorConfig": [ { "to": 1, "value": "#4fa484" }, { "from": 1, "value": "#e85b79" } ] }, "dataSources": { "primary": "ds_J3Ns07IG" }, "options": { "majorColor": "> majorValue | rangeValue(majorColorEditorConfig)", "trendColor": "#45d4ba" }, "title": "# Failing Remote Accounts", "type": "splunk.singlevalue" }, "viz_chart_1": { "dataSources": { "primary": "ds_VbAZ0by4" }, "options": { "collapseThreshold": 0.01, "labelDisplay": "valuesAndPercentage", "seriesColorsByField": { "failure": "#e85b79", "success": "#45d4ba" }, "showDonutHole": true }, "title": "Remote Accounts Statuses", "type": "splunk.pie" }, "viz_cvPBsXSu": { "context": { "overall_ops_pctColumnFormatEditorConfig": { "number": { "thousandSeparated": false, "unitPosition": "after" } }, "overall_ops_pctRowColorsEditorConfig": [ { "to": 100, "value": "#FE3A3A" }, { "from": 100, "value": "#45d4ba" } ], "statusColumnFormatEditorConfig": { "string": { "unitPosition": "after" } }, "statusRowColorsEditorConfig": [ { "match": "success", "value": "#45d4ba" }, { "match": "failure", "value": "#e85b79" } ] }, "dataSources": { "primary": "ds_NjWl6NcX" }, "options": { "columnFormat": { "overall_ops_pct": { "data": "> table | seriesByName(\"overall_ops_pct\") | formatByType(overall_ops_pctColumnFormatEditorConfig)", "rowColors": "> table | seriesByName(\"overall_ops_pct\") | rangeValue(overall_ops_pctRowColorsEditorConfig)" }, "status": { "data": "> table | seriesByName(\"status\") | formatByType(statusColumnFormatEditorConfig)", "rowColors": "> table | seriesByName(\"status\") | matchValue(statusRowColorsEditorConfig)" } } }, "title": "Detailed Remote Accounts Statuses", "type": "splunk.table" }, "viz_jn3W19To": { "context": { "statusColumnFormatEditorConfig": { "string": { "unitPosition": "after" } }, "statusRowColorsEditorConfig": [ { "match": "failure", "value": "#e85b79" }, { "match": "success", "value": "#45D4BA" } ] }, "dataSources": { "primary": "ds_I7q4oaTU" }, "options": { "columnFormat": { "status": { "data": "> table | seriesByName(\"status\") | formatByType(statusColumnFormatEditorConfig)", "rowColors": "> table | seriesByName(\"status\") | matchValue(statusRowColorsEditorConfig)" } } }, "title": "Status by Remote Account", "type": "splunk.table" }, "viz_qdTyM4tG": { "type": "splunk.markdown", "options": { "markdown": "" } }, "viz_FDlLUqfD": { "type": "splunk.markdown", "options": { "markdown": "## About this dashboard:\n\nThis dashboard uses a TrackMe generating custom command `trackmetestremoteaccounts`.\n\nThe command calls internal API endpoints to perform a connectivity and authenticaton verification of the configure Splunk Remote Accounts.\n\nIf a Splunk Remote Account is reported as in failure, this means that it is disconnected for some reasons, review the message to identify the root cause.\n\nConsult our documentation for more information." } }, "viz_e740WEz8": { "context": { "statusColumnFormatEditorConfig": { "string": { "unitPosition": "after" } }, "statusRowColorsEditorConfig": [ { "match": "success", "value": "#45d4ba" }, { "match": "failure", "value": "#e85b79" }, { "match": "disabled", "value": "#A9A9A9" }, { "match": "disabled", "value": "#A9A9A9" }, { "match": "pending", "value": "#f8be44" }, { "match": "late", "value": "#FF964F" }, { "match": "undeterminated", "value": "#F6540B" } ] }, "dataSources": { "primary": "ds_wgCfjkbl" }, "options": { "columnFormat": { "rotation_status": { "data": "> table | seriesByName(\"rotation_status\") | formatByType(statusColumnFormatEditorConfig)", "rowColors": "> table | seriesByName(\"rotation_status\") | matchValue(statusRowColorsEditorConfig)" } } }, "title": "Bearer Tokens Rotation Information", "type": "splunk.table", "description": "TrackMe automatically attempts to rotate bearer tokens for Splunk Remote Accounts, this table shows the key information related to this processus:" }, "viz_reJRiebr": { "type": "splunk.events", "dataSources": { "primary": "ds_iUXUCeKY" }, "title": "Tokens Rotation Logs (past 30 days)", "description": "The processus for the rotation of the Splunk Remote Accounts is orchestrated by the General Health Tracker, which executes daily: (index=_internal sourcetype=trackme:rest_api endpoint=maintain_remote_account)" } }, "dataSources": { "ds_I7q4oaTU": { "name": "accounts_overview", "options": { "extend": "ds_Y4xHTfIQ", "query": "| fields account, status \n| fields - _raw, _time\n| sort 0 account" }, "type": "ds.chain" }, "ds_J3Ns07IG": { "name": "disconnected_accounts", "options": { "extend": "ds_Y4xHTfIQ", "query": "| stats count(eval(status=\"failure\")) as count_disconnected" }, "type": "ds.chain" }, "ds_NjWl6NcX": { "name": "table_tenants", "options": { "extend": "ds_Y4xHTfIQ", "query": "| table account, app_namespace, host, port, status, message, *\n| fields - _raw, _time\n| search status=\"$tk_status$\"\n| rex field=status mode=sed \"s/\\\"success/\\\"🟢 success/g\"\n| rex field=status mode=sed \"s/\\\"failure/\\\"❌ failure/g\"\n| fields $tk_show_allfields$" }, "type": "ds.chain" }, "ds_VbAZ0by4": { "name": "tenants_count_by_status", "options": { "extend": "ds_Y4xHTfIQ", "query": "| stats count by status" }, "type": "ds.chain" }, "ds_Y4xHTfIQ": { "name": "remote_accounts_statuses_main", "options": { "query": "| trackmetestremoteaccounts accounts=*\n``` lookup bearer tokens rotation metadata ```\n| lookup trackme_remote_account_token_expiration account OUTPUT last_message as rotation_last_message, mtime as rotation_mtime, remote_bearer_token_id\n\n``` investigate tokens rotation ```\n| eval token_age_sec=now()-rotation_mtime\n| eval time_since_last_rotation=tostring(round(now()-rotation_mtime), \"duration\")\n| eval rotation_mtime=strftime(rotation_mtime, \"%c %Z\")\n| eval token_max_age_expected_sec=token_rotation_frequency*86400\n| eval rotation_status = case(\ntoken_rotation_enablement!=1, \"disabled\",\ntoken_rotation_enablement=1 AND match(rotation_last_message, \"Bearer token renewal operated at\") AND token_age_sec=token_max_age_expected_sec, \"late\",\ntoken_rotation_enablement=1 AND isnull(remote_bearer_token_id), \"pending\",\n1=1, \"undeterminated\"\n)", "queryParameters": { "earliest": "-5m", "latest": "now" } }, "type": "ds.search" }, "ds_iLucdxbU": { "name": "connected_accounts", "options": { "extend": "ds_Y4xHTfIQ", "query": "| stats count(eval(status=\"success\")) as count_connected" }, "type": "ds.chain" }, "ds_wgCfjkbl": { "type": "ds.chain", "options": { "query": "table account, token_rotation_enablement, token_rotation_frequency, rotation_last_message, rotation_mtime, time_since_last_rotation, rotation_status", "extend": "ds_Y4xHTfIQ" }, "name": "roatation_table_summary" }, "ds_iUXUCeKY": { "type": "ds.search", "options": { "query": "index=_internal sourcetype=trackme:rest_api endpoint=maintain_remote_account", "queryParameters": { "earliest": "-30d@d", "latest": "now" } }, "name": "tokens_rotation_logs" } }, "layout": { "globalInputs": [ "input_TtwBw5Ye", "input_LpXj9z03" ], "layoutDefinitions": { "layout_1": { "options": { "height": 1800, "width": 1920 }, "structure": [ { "item": "viz_chart_1", "position": { "h": 250, "w": 590, "x": 590, "y": 160 }, "type": "block" }, { "item": "viz_jn3W19To", "position": { "h": 250, "w": 570, "x": 1190, "y": 160 }, "type": "block" }, { "item": "viz_K39k1shE", "position": { "h": 120, "w": 570, "x": 10, "y": 290 }, "type": "block" }, { "item": "viz_28VB9M4d", "position": { "h": 120, "w": 570, "x": 10, "y": 160 }, "type": "block" }, { "item": "viz_cvPBsXSu", "position": { "h": 1370, "w": 1750, "x": 10, "y": 420 }, "type": "block" }, { "item": "viz_FUEI8OpS", "position": { "h": 60, "w": 120, "x": 1630, "y": 10 }, "type": "block" }, { "item": "viz_qdTyM4tG", "type": "block", "position": { "x": 0, "y": 1440, "w": 300, "h": 300 } }, { "item": "viz_FDlLUqfD", "type": "block", "position": { "x": 20, "y": 20, "w": 1220, "h": 140 } } ], "type": "absolute" }, "layout_G7KHXSd1": { "type": "grid", "structure": [ { "item": "viz_e740WEz8", "type": "block", "position": { "x": 0, "y": 0, "w": 1200, "h": 1026 } } ] }, "layout_pjANVB8c": { "type": "grid", "structure": [ { "item": "viz_reJRiebr", "type": "block", "position": { "x": 0, "y": 0, "w": 1200, "h": 900 } } ] } }, "tabs": { "items": [ { "label": "Overview Statuses", "layoutId": "layout_1" }, { "layoutId": "layout_G7KHXSd1", "label": "Token Rotation Statuses" }, { "layoutId": "layout_pjANVB8c", "label": "Token Rotation Logs" } ] } } } ]]>