Synchronize your Rumble inventory with Splunk

Rumble offers an add-on for Splunk 8 and Splunk Cloud that lets you synchronize your asset inventory with, you guessed it, Splunk. Yay, more data for Splunk to search and report on. With this add-on, you’ll be able to pull new or updated hosts into a Splunk index, where you’ll be able to analyze, visualize, and monitor them there.

This add-on uses the Asset Sync API from the Rumble Network Discovery platform. It supports syncing assets into Splunk, with multiple inputs supported, global API key management, and optional search filters for each input. For example, you can track new assets as one input, and SMBv1 enabled assets as another input.

To set up this add-on, you’ll need an Export API or Organization API key, which you can generate from your Organization page in the Rumble Console.

Get the Rumble add-on for Splunk

  1. Log in to Splunk.
  2. Go to Find More Apps.
  3. Search for Rumble Network Discovery.
  4. Install the add-on for Rumble.
  5. Splunk will prompt you to log in again. After you log back in again, the add-on will be installed. You’ll be able to open the Rumble Asset Sync app. Splunk might also prompt you to restart your server.

Asset sync modes

Two asset sync modes are available: New Assets Only and All Updated Assets. You can export asset inventory that contains newly discovered assets or updated assets, since the last poll, in a sync-friendly format for Splunk. You can leverage the same capabilities from the Asset Sync API to pull data in Splunk, such as search filters, fields, and time-based checkpoints.

Once data is pulled into Splunk, you can create Splunk inputs with filters. This allows you to sync specific assets with a certain protocol, discovery date, or open service.