Splunk
  • 20 Mar 2024
  • 6 Minutes to read
  • Dark
    Light
  • PDF

Splunk

  • Dark
    Light
  • PDF

Article Summary

Splunk captures, indexes, and correlates real-time data in a searchable repository.

Related Enforcement Actions

Types of Assets Fetched

This adapter fetches the following types of assets:

  • Devices

Parameters

  1. Host Name (required) - The hostname of the Splunk search head. To use Splunk Cloud, make sure to set the "Override default agent search timeframe to be one minute" advanced setting.

  2. Port (required) - Specify the port of the Splunk system. It is recommended to use TCP port 8089. For more details, see Splunk Docs - Securing Splunk Enterprise.

  3. Protocol (required, default: HTTPS) - Select between HTTP and HTTPS protocols when using to the specific adapter connection.

  4. User Name and Password (optional) - The user name and password for an account that has read access to the API. The user name must have read access to _internal index. Refer to Create authentication tokens

    Note:

    If API Token is not supplied, those fields are required.

  5. API Token (optional) - API token can be used instead of user name and password. The token must have read access to _internal index. Refer to Create authentication tokens

    Note:

    If User Name and Password are not supplied, this field is required.

    Note:

    Splunk macro titles cannot contain the following keywords: DHCP, Cisco, VPN, Windows Login, Splunk agent version, Nexpose, Landesk.

  6. Splunk Search Macros List (optional) - Specify a comma-separated list of Splunk search macros names. For details on Splunk search macros, see Splunk Knowledge Manager Manual - Define search macros in Settings.

    • Axonius will run the Splunk search macros names and will consider the results as if those were received from a CSV file. This means the search macros must include at least one column of required data as specified in the CSV adapter - Which fields will be imported with a devices file?.
    • If supplied, Axonius will run the specified search macros and will fetch devices from the results for this adapter.
      • To execute macros that start with a generating command, add "|" (pipe) as a prefix to the supplied macro name.
      • To execute macros that are defined outside of the default 'Search' Splunk application, specify the application namespace name before any applicable macro name followed by a colon.
    • If not supplied, this adapter will not include any search macros results in the fetched data.
  7. Splunk Installed Software Search Macros List (optional) - Specify a comma-separated list of Splunk search macro names that provide installed software information. For details on Splunk search macros, see Splunk Knowledge Manager Manual - Define search macros in Settings.

    • Axonius will run the Splunk search macros names and will consider the results as if those were received from a CSV file with installed software information. This means the search macros must include at least one column of required data as specified in the Which fields will be imported with a software applications file?.
    • If supplied, Axonius will run the specified search macros and will fetch installed software from the results and associate them to device entities for this adapter.
      • To execute macros that start with a generating command, add "|" (pipe) as a prefix to the supplied macro name.
      • To execute macros that are defined outside of the default 'Search' Splunk application, specify the application namespace name before any applicable macro name followed by a colon.
      • “if the results include the following columns, then Installed Security Patch data will be added to devices where available:
        hostname (required), security_patch_name (required), state (optional), installed_on (optional), patch_id (optional)
    • If not supplied, this adapter will not include any search macros results in the fetched data.
  8. Splunk Firewall Search Macros List (optional) - Specify a comma-separated list of Splunk search macro names that provide firewall information.

  9. Splunk User Search Macros List (optional) - Enter a list of macros. When populated this field is used to to query the macros that are defined within it to create User objects that will be parsed into Axonius. The macro should return at least one of the following fields to be used as a unique identifier: 'id', 'username', 'mail', 'name', 'userprincipalname'. Other fields that are not used as the device id will be added dynamically, ie any field the macro fetches should be available in axonius.

  10. HTTPS Proxy Password (optional) - The password to use when connecting to the server using the HTTPS Proxy.

  11. Splunk SaaS Application Search Macros List (optional) (only for accounts with SaaS Management capability) - To execute macros that start with a generating command, add “|” (pipe) as a prefix to the supplied macro name. To execute a macro defined outside of the default "Search" Splunk application, specify the application namespace name before any applicable macro name with colon appended.

To learn more about common adapter connection parameters and buttons, see Adding a New Adapter Connection.

Splunk2

Advanced Settings

Note:

Advanced settings can either apply for all connections for this adapter, or you can set different advanced settings and/or different scheduling for a specific connection, refer to ​Advanced Configuration for Adapters

  1. Number of days to fetch (required, default: 30) - Specify the query size by number of days Axonius will request to fetch data from all the connections of this adapter.
  2. Maximum amount of records per search (required, default: 100000) - Specify the maximum number of records Axonius should fetch from all the connections of this adapter.
  3. Windows login fetch hours (required, default: 3) - Specify the Windows login data query size by hours Axonius will request to fetch from all the connections of this adapter.
  4. Fetch devices from the splunk-nexpose plugin
    • If enabled, all connections for this adapter will fetch the devices data from splunk-nexpose plugin.
    • If disabled, all connections for this adapter will not fetch the devices data from splunk-nexpose plugin.
  5. Fetch devices from Cisco (required, default: true)
    • If enabled, all connections for this adapter will fetch the devices data from Cisco data in Splunk.
    • If disabled, all connections for this adapter will not fetch the devices data from Cisco data in Splunk.
  6. Fetch DHCP data (required, default: true)
    • If enabled, all connections for this adapter will fetch DHCP data.
    • If disabled, all connections for this adapter will not fetch DHCP data.
  7. Fetch Winlogon data (required, default: true)
    • If enabled, all connections for this adapter will fetch Winlogon data.
    • If disabled, all connections for this adapter will not fetch Winlogon data.
  8. Fetch VPN data (required, default: true)
    • If enabled, all connections for this adapter will fetch VPN data.
    • If disabled, all connections for this adapter will not fetch VPN data.
  9. Fetch Splunk agent version - Select whether to fetch information about the Splunk agent version.
    • If enabled, all connections for this adapter will fetch information about the Splunk agent version.
    • If disabled, all connections for this adapter will not fetch information about the Splunk agent version.
  10. Override default agent search timeframe to be one minute - Select whether to limit the agent search timeframe for Splunk devices to the most recent snapshot.
    • For Splunk Cloud, this setting must be configured.
Note:

For details about general advanced settings under the Adapter Configuration tab, see Adapter Advanced Settings.

Permissions

The value supplied in API Token must have the user role and read access to _internal index in order to fetch assets.
For further information refer to Create authentication tokens



Was this article helpful?

What's Next
Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.