Schedule a horizontal discovery

  • Release version: Washingtondc
  • Updated January 30, 2025
  • 17 minutes to read

    • A discovery schedule determines what horizontal discovery searches for, when it runs, and which MID Servers are used. Create a discovery schedule for your local environment or a schedule for discovering the resources in your cloud service account.

    Before you begin

    Ensure that your discovery schedule conforms to security best practices, such as limiting the range of discovery targets and using the most secure credentials.

    Make sure to test your credentials before you run a schedule. Bad credentials are a leading cause of failed discoveries.

    Roles required: discovery_admin or admin

    About this task

    You can use a discovery schedule to launch horizontal discovery, which uses probes, sensors, and pattern operations to scan your network for CIs. Use this procedure to create a schedule manually from the Discovery Schedules form.

    Service Mapping also provides a discovery schedule for top-down discovery. See Schedule a top-down discovery by Service Mapping for more information.

    Use the Discovery Schedules module in the Discovery application to:
    • Configure a schedule to discover resources in your cloud service account.
    • Configure a schedule to discover certificates from URL scans.
    • Configure device identification by IP address or other identifiers.
    • Determine if credentials are used in device probes.
    • Name the MID Server to use for a particular type of discovery.
    • Create or disable a schedule that controls when the discovery runs in your network.
    • Configure the use of multiple Shazzam probes for load balancing.
    • Configure the use of multiple MID Servers for load balancing.
    • Run a discovery schedule manually.
    • Run a discovery on a single IP address.
    Note:
    To view the run-results of your schedules for both IP-based and Cloud Discovery, use the summaries on the Discovery Home page. The Home page publishes the details of any errors that might have occurred and displays possible actions to take to remediate problems.

    Procedure

    1. Navigate to All > Discovery > Discovery Schedules to create a new record.
    2. Select the type of schedule to open:
      • New: Creates a new horizontal schedule for discovering components in your network.
      • Quick Discovery: Runs a horizontal discovery on a single IP address without requiring a schedule.
      • Create a Cloud Discovery schedule: Creates a schedule, using the Discovery Manager wizard, for discovering resources in a cloud service account.
    3. Complete the discovery schedule form, using the fields in the table.
    4. Right-click in the header of the record and select Save from the context menu.
    5. To create a range of IP addresses to discover, click Quick Ranges under Related Links.
      Note:
      To improve security, limit the range of discovery targets to exclude unnecessary networks and devices.
      Figure 1. Discovery Schedule
      Discovery Schedule form
      Table 1. Discovery Schedule Form
      Field Description
      Name Enter a unique, descriptive name for your schedule.
      Discover Select one of the following scan types:
      • Configuration items: Uses Discovery identifiers to match devices with CIs in the CMDB and update the CMDB appropriately. Perform a simple discovery by selecting a specific MID Server to scan for all protocols (SSH, WMI, and SNMP). Or, perform advanced discoveries with discovery behaviors. When you select a behavior, the MID Server field is not available.
        Note:
        An IPv6 via address list scan is allowed on Discovery schedule for Configuration Items.
      • IP addresses: Scans devices without the use of credentials. These scans discover all the active IP addresses in the specified range and create device history records, but do not update the CMDB. IP address scans also show multiple IP addresses that are running on a single device. Identify devices by class and by type, such as Windows computers and Cisco network gear. The Max range size Shazzam probe property determines the maximum number of IP addresses Shazzam scans. See Configure Shazzam probe for details.
      • Networks: Discovers IP networks (routers and switches). Results from this search are used to populate the IP Network [cmdb_ci_ip_network] table in Discovery > IP Networks with a list of IP addresses and network masks. Network scans update routers and layer 3 switches in the CMDB.
      • Service: Discovers services for the Service Mapping application. See Schedule a top-down discovery by Service Mapping for instructions.
      • Serverless: Finds CIs without needing to run discovery on a host, or CIs on a proxy host that is already in the CMDB. See Serverless Discovery for more information.
      • Cloud application: Discovers only the cloud resources for the patterns that you specify. See Exploring Cloud Discovery for instructions.
      • Cloud resources: Discovers resources for one of the supported cloud providers. This option only appears when you run Discovery on a cloud service account. You cannot select it from a new Discovery schedule.
      • Certificates. Discovers certificates based on URLs. Selecting this option adds the Certificate Discovery Type field: URL Certificate Discovery. See Run Certificate Discovery via individual URL scans for more information.
      MID Server selection method Select the method that Discovery uses to select a MID Server:
      • Auto-Select MID Server: Allow Discovery to select the MID Server automatically based on the discovery IP ranges you configure. To find a matching MID Server, you must configure MID Servers to use:
        • The Discovery application, or ALL applications. This setting authorizes the MID Server access from Discovery.
        • The IP range that includes the ranges you configure on the discovery schedule.
        Note:
        MID Server auto-select is not supported with IPv6.
      • Specific MID Cluster: Use a preconfigured cluster of MID Servers. Select the cluster. You are not required to specify one member of the cluster. The MID Server cannot be part of multiple clusters, such as one that supports load balancing and one that supports failover. You can add any cluster regardless of the application that the MID Servers are assigned to. When you select the cluster, the Discovery application is automatically added when it does not exist for the MID Servers in the cluster.
      • Specific MID Server: Use only one MID Server. If that MID Server is part of a cluster, only that MID Server is used. The cluster is not used. You can add any MID Server regardless of the application it is assigned to. The Discovery application is automatically added when it is not already assigned for the MID Server you select. You can assign a specific MID Server for all types of Discover scans except Service.
      • Use Behavior: Use a behavior when a single schedule requires the use of multiple MID Servers to perform any of the following activities:
        • Scans requiring multiple Windows credentials.
        • A schedule that must execute two or more particular protocols (SNMP, SSH, or WMI) using more than one MID Server.
        • Load balancing for large discoveries where a single MID Server would be inadequate.
        • Scanning multiple domains.
      Note:
      The discovery schedule enforces domain separation. The MID Servers that are available for selection are limited to the same domain of the user who is configuring the schedule.

      See MID Server selection sequence for Discovery schedules for additional information.
      MID Server Select the MID Server to use for this schedule. This field is available if MID Server selection method is set to Specific MID Server, or if you discover IP addresses, networks, or web services.

      To verify that the MID Server you selected is up and validated, look at the MID Server dashboard.
      MID Server Cluster Select the MID Server cluster to use for this schedule. This field is available if MID Server selection method is set to Specific MID Cluster.
      Behavior Select a behavior configured for the MID Servers in your network.

      This field is available only if MID Server selection method is set to Use Behavior.
      Active Select the check box to enable this schedule. If you clear the check box, the schedule is disabled, but you can still run a discovery manually from this form, using the configured values.
      Location Choose a location to assign to the CIs that the schedule discovers. If this field is blank, then no location is assigned.
      Max run time Set a time limit for running this schedule. When the configured time elapses, the remaining tasks for the discovery are canceled, even if the scan is not complete. Use this field to limit system load to a desirable time window. If no value is entered in this field, this schedule runs until complete.
      Run and related fields Determines the run schedule of the discovery. Configure the frequency in the Run field and the other fields that appear to specify an exact time.
      Note:
      The run time always uses the system time zone. If you add the optional Run as tz field, it has no effect on the actual runtime.
      Log state changes Select this check box to create a log entry every time the state changes during a discovery, such as a device going from Active to Classifying. View the discovery states from the Discovery Devices related list on the Discovery Status form. The Completed activity and Current activity fields display the states.
      Shazzam batch size Enter the number of IP addresses that each Shazzam probe can scan. Dividing the IP addresses into batches improves performance by allowing classification for each batch to begin after the batch completes. rather than after all IP addresses have been scanned. The probes run sequentially. For example, the value is set to 1000 and a discovery scans 10,000 IP addresses using a single MID Server. It creates 10 Shazzam probes with each probe scanning 1000 IP addresses. By default, the batch size is 1000. A UI policy enforces a minimum batch size of 256 because batch sizes below 256 IP addresses do not benefit from clustering. The policy converts any value below 256 to a value of zero.

      The value for this field cannot exceed the value defined in the maximum range size property for the Shazzam probe.
      Shazzam cluster support Select the check box to distribute Shazzam processing among multiple MID Servers in a cluster and improve performance. This setting works with the Shazzam batch size. For example, a schedule is created to scan 100,000 IP addresses, with 10 MID Servers assigned to do the work. Each MID Server is assigned to scan 10,000 IP addresses. If the Shazzam batch size is set to 5,000 IP addresses per probe, the schedule runs two Shazzam probes per MID Server (10,000 IP addresses/5,000 per batch). These probes are run in sequence and not concurrently.
      Use SNMP Version Use this field to designate the SNMP version to use for this discovery. The default value is ALL. You can change this to v1, v2c, or v3.
      URL Certificate Batch Size Define the number of URLs to discover per batch during discovery. Leave the batch size as it is unless recommended to change.
      Quick ranges Define IP addresses and address ranges to scan by entering IP addresses in multiple formats (network, range, or list) in a single, comma-delimited string. For more information, see Create a Quick IP range for a Discovery schedule.
      Discover now Use this link to immediately start this Discovery.
      Related lists
      IP Ranges This related list defines the ranges of IP addresses to scan with this schedule. If you are using a simple CI scan (no behaviors), use this related list to define the IP addresses to discover.
      Note:
      To improve security, limit the range of discovery targets to exclude unnecessary networks and devices.
      Discovery Range Sets This related list defines each range set in a schedule to scan by one or more Shazzam probes.
      Discovery Status This related list displays the results of current and past schedule runs.
      Certificate URLs This related list displays the URLs that are discovered using this schedule. You can add or delete URLs from this list.
    6. Define the frequency of schedule running as described in Run options for discovery schedules.

    Run a Quick Discovery

    Quick Discovery, or DiscoverNow, allows an administrator to run a CI Configuration discovery on a single IP address without requiring a schedule.

    Before you begin

    Role required: discovery_admin

    About this task

    The platform automatically selects the correct MID Server to use for the discovery if one is associated with the IP address selected. If no MID Server is configured for the network in which that address appears, you can select a MID Server. Use this feature to discover new devices in the network as soon as they are connected to the network, rather than waiting for a regularly scheduled discovery.

    To configure the system to automatically determine which MID Server to use, set up the IP range capabilities for each MID Server in your system.

    You can run DiscoverNow from a Discovery schedule form or from a script.

    Note:
    Quick Discovery using a IPv6 target address is supported.

    Procedure

    1. Open Quick Discovery from one of these locations:
      • Navigate to Discovery > Discovery Schedules and click Quick Discovery in the header bar.
      • Navigate to Discovery > Home and click Discovery Quick Start under the Schedules tile.
      A dialog box appears asking for an IP address and the name of the MID Server to use. Only Up and Validated MID Servers are available.
    2. Enter the target IP address for a discovery in the Target IP field.
      Note:
      DiscoverNow does not currently support IP network discovery. Make sure that you enter a single IP address only and not an entire network, such as 10.105.37.0/24.
      When a MID Server is assigned to the subnet containing the target IP address and currently in an operational status of Up, the name appears automatically in the MID Server field. If multiple MID servers are found, the system selects one for you. The value in the MID Server field can be overwritten if you want to select a different MID Server.
      Important:
      If the selected MID Server is part of a load balanced cluster and becomes unavailable for any reason, the instance does not assign another MID Server from that cluster to the quick Discovery. You must select another MID Server from the list of appropriate MID Servers.
    3. If no MID Server is defined for that network, select one from the list of available MID Servers.
      Figure 2. Quick Discovery Dialog
      Quick discovery
    4. Click OK to run discovery.
      The status record for that discovery appears. The Schedule column is empty because no schedule is associated with this discovery.
      Figure 3. Quick Discovery Status List
      Quick discovery status list

    Run DiscoverNow from a script

    You can run DiscoverNow from a script, such as a background job, a business rule, or web services.

    Before you begin

    Role required: admin

    Procedure

    1. Create the following script: 
      var d = new Discovery();
var statusID = d.discoveryFromIP(TARGET_IP, TARGET_MIDSERVER);

      The discoveryFromIP method takes two arguments: IP and MID Server. The IP argument is mandatory, but the MID Server argument is optional.

    2. To choose the MID Server, supply either the sys_id or name of the MID Server as the argument.
      If you do not name a MID Server, the system attempts to find a valid one automatically. A valid MID Server has a status of Up and can discover the given IP address. If the system finds a valid MID Server and runs a Discovery, the discoveryFromIP method returns the sys_id of the Discovery status record. If no MID Server can discover this IP address, the method returns the value undefined.

      If you manually specify the TARGET_MIDSERVER, the system validates the given value and ensures that the MID Server table contains the specified MID Server record. If the validation passes, the discoveryFromIP method returns the sys_id of the discovery status record. If the validation fails, the method return the value undefined.

    Validate discovery results

    Validate the results of your discovery by accessing the ECC queue, analyzing the XML payload, and checking the Discovery log.

    Before you begin

    Role required: discovery_admin

    About this task

    Initial discoveries often reveal unexpected results, such as previously unknown devices and processes or failed authentication. Results should also accurately identify known devices and update the CMDB appropriately. Become familiar with the network that is being discovered and the types of data returned for the different types of discoveries. Use the Discovery Log and the ECC Queue to monitor the Discovery process as data is returned from probes or pattern operations.

    Procedure

    1. To view the actual payload of a probe, click the XML icon in a record in the ECC Queue.
      Figure 4. ECC Queue
      ECC Queue
    2. To view the actual payload of a probe, click the XML icon in a record in the ECC Queue.
    3. Use the Discovery Log form for a quick look at how the probes are doing.

      To display the Discovery Log, navigate to Discovery > Discovery Log.

      Figure 5. Discovery Log
      The Discovery log
      The Discovery Log provides this information:
      Column Information
      Created Displays the timestamp for the probe launched. Click this link to view the record for the probe launched in this list.
      Level Displays the type of data returned by this probe. The possible levels are:
      • Debug
      • Error
      • Information
      • Warning
      Message Message describing the action taken on the information returned by the probe.
      ECC queue input Displays the ECC queue name associated with the log message.
      CI The CI discovered. Click this link to display the record from the CMDB for this CI.
      Source Displays the probe name that generated the log message.
      Device Displays the IP address explored by the probe. Click this link to examine all the log entries for the action taken on this IP address by this Discovery.
      Note:
      If you cancel an active discovery, note the following information:
      • Existing sensor jobs that have started processing are immediately terminated.
      • The existing sensor jobs that are in a Ready state, but have not started processing, are deleted from the system.
    4. View the Discovery Home page for details about all schedules, cloud resources (virtual machines), discovered devices, and related errors that might have occurred.
      Error details include possible remediation steps.

    MID Server selection sequence for Discovery schedules

    The Discovery application follows this sequence to find a MID Server.

    MID Server auto-selection

    Discovery follows this sequence when you select Auto-Select MID Server for the MID Server selection method on the Discovery Schedule form.
    Note:
    MID Server auto-select is not supported with IPv6.
    1. Discovery looks for a MID Server that also has an appropriate IP range configured.
    2. If no MID Servers meet these criteria, it looks for a MID Server that has the ALL application that also has an appropriate IP range configured.
    3. If more than one MID Server meet the criteria, Discovery chooses the first MID Server with the status of Up. If more than one MID Server is up, it randomly picks one.
    4. If none are up, it uses the default MID Server specified for the Discovery application, assuming it is up.
    5. If no default MID Server is specified, it uses the default MID Server specified for the ALL application, assuming it is up.
    6. If no default MID Server is specified, Discovery cycles through the previous steps and looks for MID Servers with the status of Paused or Upgrading.
      Note:
      When a MID Server is paused or upgrading, it does not actually process commands until it returns to the status of Up.

    MID Server clusters

    These steps are followed when you select Specific MID Cluster for the MID Server selection method on the Discovery form, and the cluster is a load balancing cluster:
    1. Discovery uses the first MID Server in the cluster that it finds with the status of Up.
    2. If more than one MID Server is up, it randomly picks one. If it cannot find any MID Servers, it looks for MID Servers in the cluster with the status of Paused or Upgrading.
    These steps are followed when the cluster is a failover cluster:
    1. Discovery uses the MID Server with the lowest Order value that also has the status of Up.
    2. If no MID Servers are found, it looks for MID Servers in the cluster with the status of Paused or Upgrading, choosing the one with the lowest Order value.
    Note:
    Discovery ignores the default MID Server for it and ALL applications when selecting a MID Server from the cluster.

    Port scan (Shazzam) phase

    During the port scan phase, Discovery collects all the target IP addresses. It splits them equally between MID Servers matching the criteria (MID Servers are qualified to do the port scan). The Shazzam batch size, which you configured on the Discovery schedule, determines the number of IP addresses that each Shazzam probe can scan. This phase helps determine how much work each MID Server does during the port scan phase.

    For example, you have 16,000 IP addresses to scan among three qualified MID Servers, and you use the default Shazzam batch size of 5000. Two of the MID Servers handle 5000 IP address scans (one Shazzam probe each). The other MID Server handles 6000 IP address scans by launching two Shazzam probes.

    Note:

    Shazzam can process IP lists containing up to of 5000 addresses that include both IPv4 and IPv6 types. If your schedule contains an IP list with more than 5000 IPv6 IP addresses, the Discovery gets cancelled. If you are using only IPv6 addresses, you must use a list and not an IP address range. IPv6 address ranges and networks are not supported and will be ignored.