Splunk Verification

Updated 3 months ago by Michael Cretzman

Splunk Enterprise enables you to search, analyze, and visualize data gathered from your microservices, websites, and apps. After you define the data source, Splunk Enterprise indexes the data stream and parses it into a series of individual events that you can view and search. Splunk provides a REST API with over 200 endpoints. Developers can programmatically index, search, and visualize data in Splunk from any app.

Once you have integrated Splunk with your microservice or app, you can add a Splunk verification step to your Harness workflows and Harness will use Splunk to verify the performance and quality of your deployments and apply Harness machine-learning verification analysis to Splunk data.

Verification with Splunk Enterprise

Harness Analysis

Verification Setup Overview

You set up Splunk and Harness in the following way:

  1. Using Splunk integration, you monitor your microservice or application.
  2. In Harness, you connect Harness to your Splunk account, adding Splunk as a Harness Verification Provider.
  3. After you have built and run a successful deployment of your microservice or application in Harness, you then add Splunk verification steps to your Harness deployment workflow. You add Splunk after a successful deployment in order that Harness can use Splunk on the specific hosts/containers/pods on which the microservice is deployed, using the deployment environment tags or labels that identify the hosts/containers/pods.
  4. Harness uses Splunk to verify your future microservice/application deployments.
  5. Harness Continuous Verification uses unsupervised machine-learning to analyze your deployments and Splunk analytics/logs, discovering events that might be causing your deployments to fail. Then you can use this information to improve your deployments.

Intended Audience

  • Developers
  • DevOps

Before You Begin

Permissions for API Connection

Splunk APIs require that you authenticate with a non-SAML account. To access your Splunk Cloud deployment using the Splunk REST API and SDKs, submit a support case requesting access on the Support Portal. For managed deployments, Splunk Support opens port 8089 for REST access. You can specify a range of IP addresses to control who can access the REST API. For self-service deployments, Splunk Support defines a dedicated user and sends you credentials that enable that user to access the REST API. For information on Splunk self-service accounts, see Using the REST API with Splunk Cloud.

Ensure the Splunk user account used to authenticate Harness with Splunk has the following rest-related capabilities:

  • rest_apps_view
  • rest_properties_get
  • rest_properties_set
  • rest_apps_management

Connect to Splunk

Connect Harness to Splunk to have Harness verify the success of your deployments. Harness will use your tools to verify deployments and use its machine learning features to identify sources of failures.

To add Splunk as a verification provider, do the following:

  1. Click Setup.
  2. Click Connectors.
  3. Click Verification Providers.
  4. Click Add Verification Provider, and select Splunk. The Add Splunk Verification Provider dialog for your provider appears.

The Add Splunk Verification Provider dialog has the following fields.

Field

Description

URL

Enter the URL for accessing the REST API on the Splunk server. Include the port number in format https://<deployment-name>.cloud.splunk.com:8089: The default port number is 8089.

The port number is required for hosted Splunk, also. For example: https://mycompany.splunkcloud.com:8089.

For more information, see Using the REST API with Splunk Cloud from Splunk.

Username and Password

Enter the account credentials to authenticate with the server. A user role that is not authenticated with SAML is required. You do not need an admin role.

Display Name

Enter a display name for the provider. If you are going to use multiple providers of the same type, ensure you give each provider a different name.

Usage Scope

If you want to restrict the use of a provider to specific applications and environments, do the following:

  1. In Usage Scope, click the drop-down under Applications, and click the name of the application.
  2. In Environments, click the name of the environment.

Verify with Splunk

The following procedure describes how to add Splunk as a verification step in a Harness workflow. For more information about workflows, see Add a Workflow.

Once you run a deployment and Splunk preforms verification, Harness' machine-learning verification analysis will assess the risk level of the deployment.

In order to obtain the names of the host(s), pod(s), or container(s) where your service is deployed, the verification provider should be added to your workflow after you have run at least one successful deployment.

To verify your deployment with Splunk, do the following:

  1. Ensure that you have added Splunk as a verification provider, as described above.
  2. In your workflow, under Verify Service, click Add Verification, and then click Splunkv2. The Splunk V2 dialog appears.

The Splunk dialog has the following fields.

Field

Description

Splunk Server

Select the Harness Verification Provider you configured using your Splunk account.

Search Keywords

To search for all exceptions, use asterisks (*) around exception, for example, *exception*. For more information, see Retrieve events from the index from Splunk.

Field name for Host/Container

Typically, you will enter host. You can enter host into the Splunk Search field to see the host for your Harness deployment:

Expression for Host/Container name

See Guide From Example.

Analysis Time duration

Set the duration for the verification step. If a verification step exceeds the value, the workflow Failure Strategy is triggered. For example, if the Failure Strategy is Ignore, then the verification state is marked Failed but the workflow execution continues.

Baseline for Risk Analysis

Select Previous Analysis to have this verification use the previous analysis for a baseline comparison. If your workflow is a Canary workflow type, you can select Canary Analysis to have this verification compare old versions of nodes to new versions of nodes in real-time.

Execute with previous steps

Check this checkbox to run this verification step in parallel with the previous steps in Verify Service.

Guide From Example

In the Splunk verification step dialog, you can see the Guide From Example option next to the Expression for Host/Container name field. This option lets you select the host(s), pod(s), or container(s) for Harness to use when performing verification.

You select the host, pod, or container in Guide From Example, and an expression is added to the Expression for Host/Container name field. The default expression is ${host.hostName}. Typically, you can simply use ${host.hostName}.

In order to obtain the names of the host(s) pod(s), or container(s) where your service is deployed, the verification provider should be added to your workflow after you have run at least one successful deployment. Then the Guide From Example feature can display the host or container name(s) for you to select.

To ensure that you pick the right name when using Guide From Example, you can use a host name in Splunk as a guide.

To use Guide From Example for a host or container name expression, do the following:

  1. In Splunk, click App: Search & Reporting, and then click Search & Reporting.
  2. In Search, enter host to see a list of the available hosts being tracked.
  3. Click the name of your host to add it to the search, select a date range, and click the search icon. The event log entries for the host appear.


    The name of the host can be seen in the event message, next to host =. The expression that you provide in the Expression for Host/Container Name field in the Harness Splunk dialog should evaluate to the name here.
  4. In your Harness workflow Splunk dialog, click Guide From Example. The Expression for Host Name popover appears.


    The dialog shows the service, environment, and service infrastructure used for this workflow.
  5. In Host, click the name of the host to use when testing verification. Match the hostname from the Splunk Search to the hostname in the Expression for Host Name popover:
  6. Click SUBMIT. The YAML for the host appears. Look for the host section.

    You want to use a hostName label in the host section. Do not use a hostName label outside of that section.
  7. Click the hostName label. The variable name is added to the Expression for Host/Container name field.
  8. At the bottom of the Splunk dialog, click TEST. A new Expression for Host Name popover appears.
  9. In Host, select the same host you selected last time, and then click RUN. Verification information for the host is found. In there is no verification data for the selected node, the test will display connection information only.
  10. Click back in the Splunk dialog and click SUBMIT. The Splunk verification step is added to your workflow.

Verification Results

Once you have deployed your workflow (or pipeline) using the Splunk verification step, you can automatically verify app performance across your deployment. For more information, see Add a Workflow and Add a Pipeline.

Workflow Verification

After you add the Splunk verification step to your workflow, the next time you deploy the workflow you will see the Splunk verification step running:

To see the results of Harness machine-learning evaluation of your Splunk verification, in your workflow or pipeline deployment you can expand the Verify Service step and then click the Splunk step.

Continuous Verification

You can also see the evaluation in the Continuous Verification dashboard. The workflow verification view is for the DevOps user who developed the workflow. The Continuous Verification dashboard is where all future deployments are displayed for developers and others interested in deployment analysis.

To learn about the verification analysis features, see the following sections.

Deployments

Deployment info
See the verification analysis for each deployment, with information on its service, environment, pipeline, and workflows.

Verification phases and providers
See the vertfication phases for each vertfication provider. Click each provider for logs and analysis.

Verification timeline
See when each deployment and verification was performed.

Transaction Analysis

Execution details
See the details of verification execution. Total is the total time the verification step took, and Analysis duration is how long the analysis took.

Risk level analysis
Get an overall risk level and view the cluster chart to see events.

Transaction-level summary
See a summary of each transaction with the query string, error values comparison, and a risk analysis summary.

Execution Analysis

Event type
Filter cluster chart events by Unknown Event, Unexpected Frequency, Anticipated Event, Baseline Event, and Ignore Event.

Cluster chart
View the chart to see how the selected event contrast. Click each event to see its log details.

Event Management

Event-level analysis
See the threat level for each event captured.

Tune event capture
Remove events from analysis at the service, workflow, execution, or overall level.

Event distribution
Click the chart icon to see an event distribution including the measured data, baseline data, and event frequency.

Next Steps


How did we do?