Splunk Enterprise plugin

Monitor any events or metrics and retrieve reports from your Splunk Enterprise environment using custom Splunk Processing Language (SPL) queries.

For more information about what this plugin does and the data streams it retrieves, see:

Splunk

The Splunk Enterprise plugin is a "hybrid" plugin, meaning it is available in SquaredUp as both a cloud and an on-prem plugin.

Use the cloud version if your Splunk Enterprise instance is available on the internet. You do not need to configure a relay agent.
Use the on-prem plugin to access a Splunk Enterprise instance on a server on-prem. You will need to configure a relay agent before you configure the Splunk Enterprise On-Prem plugin.
An on-prem data source connects a service running on your internal network to SquaredUp. It requires an agent installed on a machine that has access to your internal network.

This data source is of great use in addition to other data sources. It enables you to get different kinds of data and insights about objects that have been indexed by other data sources.

To add a data source click on the + next to Data Sources on the left-hand menu in SquaredUp. Search for the data source and click on it to open the Configure data source page.

You can also add a data source by clicking Add data source on the Settings > Data Sources page, but pre-built dashboards are not added when using this method.

Adding an agent for the on-prem plugin

If you are using the Splunk Enterprise On-Prem plugin you will need an agent running on a server that can access the server hosting your Splunk Enterprise instance. You do not need an agent for the cloud plugin.

Configuring and deploying an agent

If you have already created an agent in SquaredUp that you can use for this data source, you can skip this step and choose the agent group you want to use while Configuring the data source.

See one of the following, depending on your platform type:

Configuring the data source

Display Name:
Enter a name for your data source. This helps you to identify this data source in the list of your data sources.
Agent Group:
Select the Agent Group that contains the agent(s) you want to use.
This field will only appear if you are adding the on-prem plugin.
Splunk Enterprise URL:
Enter the URL for your Splunk Enterprise server.
For accessing your Splunk instance you need to enter either a token or your Splunk user name and password.
If you use a token:
Create a token in your Splunk instance and paste it in here.
If you use your Splunk user name and password:
Enter the user name and password you use to log in to your Splunk instance.
Ignore Certificate errors:
If you activate this checkbox the data source will ignore certificate errors when accessing the Splunk Enterprise server.

Restrict access to this data source:
You can enable this option if you only want certain users or groups to have access to the data source, or the permission to link it to new workspaces. See data source access control for more information.

The term data source here really means data source instance. For example, a user may configure two instances of the AWS data source, one for their development environment and one for production. In that case, each data source instance has its own access control settings.

By default, Restrict access to this data source is set to off. The data source can be viewed, edited and administered by anyone. If you would like to control who has access to this data source, switch Restrict access to this data source to on.

Use the Restrict access to this data source dropdown to control who has access to the workspace:

By default, the user setting the permissions for the data source will be given Full Control and the Everyone group will be given Link to workspace permissions.
Tailor access to the data source, as required, by selecting individual users or user groups from the dropdown and giving them Link to workspace or Full Control permissions.
If the user is not available from the dropdown, you are able to invite them to the data source by typing in their email address and then clicking Add. The new user will then receive an email inviting them to create an account on SquaredUp. Once the account has been created, they will gain access to the organization.
At least one user or group must be given Full Control.
Admin users can edit the configuration, modify the Access Control List (ACL) and delete the data source, regardless of the ACL chosen.

Access level	Permissions
Link to workspace	User can link the data source to any workspace they have at least Editor permissions for. Data from the data source can then be viewed by anyone with any access to the workspace. User can share the data source data with anyone they want. User cannot configure the data source in any way, or delete it.
Full Control	User can change the data source configuration, ACL, and delete the data source.

See Access control for more information.

Click Add.
The data source is now added. To be able to use it, you need to create a custom Data Stream for this data source.

Next steps

Data streams

Data streams standardize data from all the different shapes and formats your tools use into a straightforward tabular format.

While creating a tile you can tweak data streams by grouping or aggregating specific columns.

Depending on the kind of data, SquaredUp will automatically suggest how to visualize the result, for example as a table or line graph.

Data streams can be either global or scoped:

Global data streams are unscoped and return information of a general nature (e.g. "Get the current number of unused hosts").
A scoped data stream gets information relevant to the specific set objects supplied in the tile scope (e.g. "Get the current session count for these hosts").

See Data Streams for more information.

The following data streams are installed with this plugin.

Data stream	Description
Recent Searches List	Returns recent searches for templates

Configurable data streams

The following data streams have configurable Parameters.

Data stream	Description	Parameters
SPL Query	Runs the provided query against Splunk Enterprise data	Query: Enter a SPL query. This data stream supplies scoped objects individually for mustache parameters. When there are multiple objects in scope this data source will send the query multiple times, once for each object. The results are then displayed together, for example in a single table. You can use properties of objects and write them in between curly braces e.g `{{name}}` to use them as mustache parameters. Whenever you use mustache parameters, you need to use a scope of objects that contain the property you're referencing. For example, if objects of type "host" have a property called `name`, you can use `{{name}}`. This will resolve `{{name}}` to the value of the name property of the different "host" objects used in the scope. Use Timeframe: Select to fetch data only from within dashboard / tile timeframe.
Reports	Return saved report data from Splunk Enterprise	Report: Select a report. Use Timeframe: If the report involves a timeframe (for example, Errors in the Last 24 Hours), select the Use Timeframe checkbox.For faster searches. It's recommend to select the Use Timeframe checkbox if your query doesn't specify a timeframe, otherwise the entire dataset is scanned.

Was this article helpful?

Have more questions or facing an issue?

Submit a ticket