Guides

Query App for Splunk

Query Security Mesh empowers Splunk users with more data from outside of Splunk

📘

TL;DR About the Query App for Splunk

The Query App for Splunk expands the data reach of Splunk so users can investigate from a wide range of distributed data sources that have not been ingested into Splunk.

Splunk users can search directly from Splunk's dashboard or Search box using the queryai command, and the results will include data from all sources connected to Query with a Connector. Leveraging Query App, you can also run detections and investigations across events and entities.

The Query App for Splunk is installed by a Splunk Administrator, in coordination with a Query Platform administrator.


What Is Query App for Splunk?

Your organization likely uses the industry-leading Splunk platform for observing security data. And you almost certainly have lots more security-related data that's not in Splunk. With Query, you can overcome that limitation: after a Splunk administrator installs the Query app in Splunk, you can operationalize Query Security Mesh-connected remote data even when it does not exist in Splunk indexes.

The queryai command brings federated search results right into the Splunk SPL pipeline. You can use remote data in SPL searches, detections, reporting, and dashboards. This powerful capability bypasses any need to index the data in Splunk.

In this way, Query App for Splunk lets you access and use all of your cybersecurity data directly from the Splunk console or dashboard - no matter the data repository’s vendor, technology, or location.

If you are hungry for even more data, Administrators can connect Query to additional data sources in minutes.

Query Search Results in Splunk

To help you visualize, if you were to run a search from Splunk to fetch everything related to an IP address, your result set would include all associated events, devices, user information, and any other related records contained in your Query platform integrations.

Event and Entity Investigation Views

With the power of Federated Search, you can investigate events and entities without having to centralize data. Use the out-of-box views for investigation or customize to create your own dashboards -- all in Splunk console.

Federated Detections

Federated detections gives the ability to trigger detections without centralization of data in Splunk. You can write your custom detection or adapt detections content from public sources like Splunk's Threat Research, to run detections over your distributed data sources without needing to move or centralize data.

How the Query App for Splunk Works

Click here to see the Query architecture page, which offers a diagram showing how your searches from Splunk are run against Query-connected repositories by acting as a client to Query.