Splunk Enterprise plugin

Monitor any events or metrics and retrieve reports from your Splunk Enterprise environment using custom Splunk Processing Language (SPL) queries.

This data source is very useful when used in conjunction with other data sources. It enables you to get different kinds of data and insights about objects that have been indexed by other plugins.

Click the following link for additional content such as blogs, videos, use cases, and more:

Splunk

Adding a data source

To add a data source click on the + next to Data Sources on the left-hand menu in SquaredUp. Search for the data source and click on it to open the Configure data source page.

Before you start

  1. Will SquaredUp need to connect to this data source via a relay agent?
  2. Generate a personal access token
  3. Configure the data source in SquaredUp

Will SquaredUp need to connect to this data source via a relay agent?

This plugin is a hybrid plugin, meaning it can connect to either a cloud or an on-prem data source.

  • If your data source is available on the internet, then you do not need to connect via a relay agent.
  • If your data source is on a private network and is not publicly accessible, then you will need to configure a relay agent before you configure the plugin. See Deploying a relay agent.

This feature is available with an Enterprise plan

Relay agents allow you to securely connect to data sources inside your own network (on-prem).

A relay agent is installed on a server on your internal network, and has access to your data source.

When a plugin uses a relay agent it means that you don't need to open your firewall to allow SquaredUp access to the data source.

If you have already created a relay agent in SquaredUp that can access this data source, then you can skip this step and choose Connect via relay agent when Configuring the data source.

Generating a personal access token

When configuring the data source, you can choose to authenticate by either supplying the username and password of your Splunk account or by an authentication token.

If you want to authenticate using an authentication token then you can generate one in Splunk by navigating to Settings > Tokens. For detailed instructions on creating a token see the Splunk documentation.

Configuring the data source

  1. Display name:
    Enter a name for your data source. This helps you to identify this data source in the list of your data sources.

  2. Connect via relay agent

    If you are connecting to an on-prem data source then select this toggle, so you can use a relay agent to connect securely.

    Agent group:
    Select the Agent Group that contains the agent(s) you want to use. Agent groups are managed from Settings > Relay Agents

    This field will only appear if you are adding the on-prem plugin.

  3. Splunk Enterprise URL:
    Enter the URL for your Splunk Enterprise server.
  4. To authenticate your Splunk instance, you must enter either a token or your Splunk user name and password.
    • Token:
      Create a token in your Splunk instance and paste it in here.
    • Username and password:
      Enter the user name and password you use to log in to your Splunk instance.
  5. Ignore certificate errors:
    If you activate this checkbox the data source will ignore certificate errors when accessing the Splunk Enterprise server.

  6. Restrict access to this data source:
    Optionally, enable this toggle if you only want certain users/groups to have access to the data source, or those with the permission to link it to new workspaces. See data source access control for more information.

    The term data source here really means data source instance. For example, a user may configure two instances of the AWS data source, one for their development environment and one for production. In that case, each data source instance has its own access control settings.

    By default, Restrict access to this data source is set to off. The data source can be viewed, edited and administered by anyone. If you would like to control who has access to this data source, switch Restrict access to this data source to on.

    Use the Restrict access to this data source dropdown to control who has access to the workspace:

    • By default, the user setting the permissions for the data source will be given Full Control and the Everyone group will be given Link to workspace permissions.
    • Tailor access to the data source, as required, by selecting individual users or user groups from the dropdown and giving them Link to workspace or Full Control permissions.
    • If the user is not available from the dropdown, you are able to invite them to the data source by typing in their email address and then clicking Add. The new user will then receive an email inviting them to create an account on SquaredUp. Once the account has been created, they will gain access to the organization.
    • At least one user or group must be given Full Control.
    • Admin users can edit the configuration, modify the Access Control List (ACL) and delete the data source, regardless of the ACL chosen.

    Access level
    Permissions
    Link to workspace
    • User can link the data source to any workspace they have at least Editor permissions for.
    • Data from the data source can then be viewed by anyone with any access to the workspace.
    • User can share the data source data with anyone they want.
    • User cannot configure the data source in any way, or delete it.
    Full Control
    • User can change the data source configuration, ACL, and delete the data source.

    See Access control for more information.

  7. Click Test and add to validate the data source configuration. SquaredUp will now attempt to connect to SquaredUp using the provided authentication method.

    • Testing passed – a success message will be displayed and then the configuration will be saved.
    • Testing passed with warnings – warnings will be listed and potential fixes suggested. You can still use the data source with warnings. Select Save with warnings if you believe that you can still use the data source as required with the warnings listed. Alternatively, address the issues listed and then select Rerun tests to validate the data source configuration again. If the validation now passes, click Save.
    • Testing Failed – errors will be listed and potential fixes suggested. You cannot use the data source with errors. You are able to select Save with errors if you believe that a system outside of SquaredUp is causing the error that you need to fix. Alternatively, address the issues listed and then select Rerun tests to validate the data source configuration again. If the validation now passes, click Save.

    You can edit data source configurations at any time from Settings > Data Sources.

Next steps

Data streams

You can use these data streams to create new tiles to show data, or if there are preconfigured dashboards installed you can copy or edit those.

Data streams standardize data from all the different shapes and formats your tools use into a straightforward tabular format.

While creating a tile you can tweak data streams by grouping or aggregating specific columns.

Depending on the kind of data, SquaredUp will automatically suggest how to visualize the result, for example as a table or line graph.

Data streams can be either global or scoped:

  • Global data streams are unscoped and return information of a general nature (e.g. "Get the current number of unused hosts").
  • A scoped data stream gets information relevant to the specific set objects supplied in the tile scope (e.g. "Get the current session count for these hosts").

See Data Streams for more information.

The following data streams are installed with this plugin.

Recent Searches List

Lookup recent searches for templates

Reports

Return saved report data from Splunk Enterprise

Parameters
SPL Query

Executes the provided query against Splunk Enterprise data

Parameters

Was this article helpful?

Have more questions or facing an issue?
Submit a ticket