Build customized observability options
Cisco Observability Platform (COP) permits builders to construct customized observability options to achieve helpful insights throughout their expertise and enterprise stack. While storage and question of Metric, Event, Log, and Trace (MELT) information is a key platform functionality, the Knowledge Store (KS) permits options to outline and handle domain-specific enterprise information. This is a key enabler of differentiated options. For instance, an answer might use Health Rules and FMM entity modeling to detect community intrusions. Using the Knowledge Store, the answer might deliver an idea reminiscent of “Investigation” to the platform, permitting its customers to create and handle the entire lifecycle of a community intrusion investigation from creation to remediation.
In this weblog submit we are going to educate the nuts and bolts of including a information mannequin to a Cisco Observability Platform (COP) answer, utilizing the instance of a community safety investigation. This weblog submit will make frequent use of the FSOC command to offer hands-on examples. If you aren’t acquainted with FSOC, you possibly can evaluate its readme.
First, let’s rapidly evaluate the COP structure to grasp the place the Knowledge Store suits in. The Knowledge Store is the distributed “brain” of the platform. The information retailer is a sophisticated JSON doc retailer that helps solution-defined Types and cross-object references. In the diagram beneath, the Knowledge Store is proven “connected” by arrows to different elements of the platform. This is as a result of all elements of the platform retailer their configurations within the information retailer. The Knowledge Store has no ‘built-in’ Types for these elements. Instead, every element of the platform makes use of a system answer to outline information sorts defining their very own configurations. In this sense, even inner elements of the platform are options that rely upon the Knowledge Store. For this purpose, the Knowledge Store is essentially the most important element of the platform that completely nothing else can operate with out.
To add a extra detailed understanding of the Knowledge Store we will perceive it as a database that has layers. The SOLUTION layer is replicated globally throughout Cells. This makes the SOLUTION layer appropriate for comparatively small items of data that must be shared globally. Any objects positioned inside an answer bundle have to be made obtainable to subscribers in all cells, subsequently they’re positioned within the replicated SOLUTION layer.
Get a step-by-step information
From this level we are going to change to a hands-on mode and invite you to ‘git clone git@github.com:geoffhendrey/cop-examples.git’. After cloning the repo, check out https://github.com/geoffhendrey/cop-examples/blob/main/example/knowledge-store-investigation/README.md which presents an in depth step-by-step information on tips on how to outline a community intrusion Type within the JSON retailer and tips on how to populate it with a set of default values for an investigation. Shown beneath is an instance of a malware investigation that may be saved within the information retailer.
The vital factor to grasp is that previous to the creation of the ‘investigation’ sort, which is taught within the git repo above, the platform had no idea of an investigation. Therefore, information modeling is a foundational functionality, permitting options to increase the platform. As you possibly can see from the instance investigation beneath, an answer might deliver the aptitude to report, examine, remediate, and shut a malware incident.
If you cloned the git repo and adopted together with the README, then you definately already know the important thing factors taught by the ‘investigation’ instance:
- The information retailer is a JSON doc retailer
- An answer bundle can outline a Type, which is akin to including a desk to a database
- A Type should specify a JSON schema for its allowed content material
- A Type should additionally specify which doc fields uniquely determine paperwork/objects within the retailer
- An answer might embrace objects, which can be of a Type outlined within the answer, or which have been outlined by some completely different answer
- Objects included in a Solution are replicated globally throughout all cells within the Cisco Observability Platform.
- An answer together with Types and Objects could be printed with the fsoc command line utility
Provide worth and context on high of MELT information
Cisco Observability Platform permits answer builders to deliver highly effective, area particular information fashions to the platform. Knowledge fashions permit options to offer worth and context on high of MELT information. This functionality is exclusive to COP. Look for future blogs the place we are going to discover tips on how to entry objects at runtime, utilizing fsoc, and the underlying REST APIs. We may also discover superior subjects reminiscent of tips on how to generate information objects primarily based on workflows that may be triggered by platform well being guidelines, or triggers inside the information ingestion pipeline.
Find associated assets
Learn extra about Cisco Full-Stack Observability and discover developer assets for:
- Infrastructure Monitoring
- Application Monitoring
- Application Security
- Digital Experience Monitoring
Share: