Splunk
  • 13 Jun 2022
  • 5 Minutes to read
  • Dark
    Light
  • PDF

Splunk

  • Dark
    Light
  • PDF

Splunk captures, indexes, and correlates real-time data in a searchable repository.

Types of Assets Fetched

This adapter fetches the following types of assets:

  • Devices

Parameters

  1. Host Name (required) - The hostname of the Splunk search head.

  2. Port (required) - Specify the port of the Splunk system. It is recommended to use TCP port 8089. For more details, see Splunk Docs - Securing Splunk Enterprise.

  3. Protocol (required, default: HTTPS) - Select between HTTP and HTTPS protocols when using to the specific adapter connection.

  4. User Name and Password (optional, default: empty) - The user name and password for an account that has read access to the API. To create a new user with read permissions., follow the tutorial in the official Splunk documentation. Splunk cloud users should follow the steps detailed in Accessing the Splunk Cloud Platform REST API to access the API.

    Note:

    If API Token is not supplied, those fields are required.

  5. API Token (optional, default: empty) - API token can be used instead of user name and password.

    Note:

    If User Name and Password are not supplied, this field is required.

  6. Splunk search macros list (Optional, default: empty) - Specify a comma-separated list of Splunk search macros names. For details on Splunk search macros, see Splunk Knowledge Manager Manual - Define search macros in Settings.

    • Axonius will run the Splunk search macros names and will consider the results as if those were received from a CSV file. This means the search macros must include at least one column of required data as specified in the CSV adapter - Which fields will be imported with a devices file?.
    • If supplied, Axonius will run the specified search macros and will fetch devices from the results for this adapter.
      • To execute macros that start with a generating command, add "|" (pipe) as a prefix to the supplied macro name.
      • To execute macros that are defined outside of the default 'Search' Splunk application, specify the application namespace name before any applicable macro name followed by a colon.
    • If not supplied, this adapter will not include any search macros results in the fetched data.
  7. Splunk installed software search macros list (Optional, default: empty) - Specify a comma-separated list of Splunk search macro names that provide installed software information. For details on Splunk search macros, see Splunk Knowledge Manager Manual - Define search macros in Settings.

    • Axonius will run the Splunk search macros names and will consider the results as if those were received from a CSV file with installed software information. This means the search macros must include at least one column of required data as specified in the Which fields will be imported with a software applications file?.
    • If supplied, Axonius will run the specified search macros and will fetch installed software from the results and associate them to device entities for this adapter.
      • To execute macros that start with a generating command, add "|" (pipe) as a prefix to the supplied macro name.
      • To execute macros that are defined outside of the default 'Search' Splunk application, specify the application namespace name before any applicable macro name followed by a colon.
    • If not supplied, this adapter will not include any search macros results in the fetched data.
  8. Splunk User Search Macros List - Enter a list of macros. When populated this field is used to to query the macros that are defined within it to create User objects that will be parsed into Axonius. The macro should return at least one of the following fields to be used as a unique identifier: 'id', 'username', 'mail', 'name', 'userprincipalname'. Other fields that are not used as the device id will be added dynamically, ie any field the macro fetches should be available in axonius.

  9. For details on the common adapter connection parameters and buttons, see Adding a New Adapter Connection.

Splunk.png

Advanced Settings

Note:

From version 4.6 Advanced settings can either apply for all connections for this adapter, or you can set different advanced settings and/or different scheduling for a specific connection, refer to ​Advanced Configuration for Adapters

  1. Number of days to fetch (required, default: 30) - Specify the query size by number of days Axonius will request to fetch data from all the connections of this adapter.
  2. Maximum amount of records per search (required, default: 100000) - Specify the maximum number of records Axonius should fetch from all the connections of this adapter.
  3. Windows login fetch hours (required, default: 3) - Specify the Windows login data query size by hours Axonius will request to fetch from all the connections of this adapter.
  4. Fetch devices from the splunk-nexpose plugin (required, default: False)
    • If enabled, all connections for this adapter will fetch the devices data from splunk-nexpose plugin.
    • If disabled, all connections for this adapter will not fetch the devices data from splunk-nexpose plugin.
  5. Fetch devices from Cisco (required, default: True)
    • If enabled, all connections for this adapter will fetch the devices data from Cisco data in Splunk.
    • If disabled, all connections for this adapter will not fetch the devices data from Cisco data in Splunk.
  6. Fetch DHCP data (required, default: True)
    • If enabled, all connections for this adapter will fetch DHCP data.
    • If disabled, all connections for this adapter will not fetch DHCP data.
  7. Fetch Winlogon data (required, default: True)
    • If enabled, all connections for this adapter will fetch Winlogon data.
    • If disabled, all connections for this adapter will not fetch Winlogon data.
  8. Fetch VPN data (required, default: True)
    • If enabled, all connections for this adapter will fetch VPN data.
    • If disabled, all connections for this adapter will not fetch VPN data.
  9. Fetch Splunk agent version (required, default: False) - Select whether to fetch information about the Splunk agent version.
    • If enabled, all connections for this adapter will fetch information about the Splunk agent version.
    • If disabled, all connections for this adapter will not fetch information about the Splunk agent version.
  10. Override default agent search timeframe to be one minute (required, default: False) - Select whether to limit the agent search timeframe for Splunk devices to the most recent snapshot.
Note:

For details about general advanced settings under the Adapter Configuration tab, see Adapter Advanced Settings.


What's Next
Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.