NetBox as the single source of truth -- fed by five systems

Sector: Utility OT · Platform: NetBox + GitLab CI · Timeline: 12 weeks

The situation

Five tools, five inventories, five truths. SolarWinds knew which devices were polled; Tenable knew which were scanned; Splunk knew which were forwarding; CSE knew which had EDR coverage; vCenter and Prism knew what existed at all. Every audit started with someone reconciling lists by hand.

What we built

• sw-to-netbox -- pulls SolarWinds node + interface inventory via SWIS, normalizes MACs, writes back custom fields like in_solarwinds, polling_engine, and last_polled.
• tenable-to-netbox -- pulls Tenable Security Center hosts, agent state, and last scan, marking gaps where SolarWinds says a device exists but Tenable has no record.
• splunk-to-netbox -- pulls forwarder check-ins and indexes back into NetBox per asset.
• vCenter and Cisco Secure Endpoint connectors round out the picture for VMs and EDR.
• All three repos run as scheduled GitLab CI pipelines with shared credentials and per-job sandbox-plan gates.

Design decisions worth flagging

• MAC as the join key. Hostnames lie. IPs change. MACs are the closest thing to a stable identity for an interface, and our pipeline normalizes them at ingest.
• Custom fields, not tags. Each source system writes to its own custom field rather than shared tags, so a stale sync from one tool doesn't clobber what another knows.
• Read-only by default. The pipelines do not create or delete devices in NetBox; they enrich. Provisioning still flows through humans and PRs.
• Splunk auth via per-environment CI variables. No shared service account, no embedded creds.

Outcome

860 nodes synced. Coverage gaps surfaced as NetBox saved-search reports rather than ad-hoc Excel exercises. The annual VM-coverage audit, which had taken two engineers a week, now runs as a 90-second CI job.

---

← Back to case studies