Guides

Query Splunk App

Query empowers Splunk users with more data from outside of Splunk

Suggest Edits

📘

TL;DR About the Query Splunk App

The Query Federated Search for Splunk app expands the data reach of Splunk so users can search a wide range of distributed data sources that have not been ingested into Splunk.

Splunk users can search directly from Splunk's dashboard or Search box using the queryai command, and the results will include data from all repositories connected to Query with a Platform Connector.

The Query Splunk app is installed by a Splunk Administrator, in coordination with a Query Platform administrator.


What Is Query Federated Search for Splunk?

Your organization likely uses the industry-leading Splunk platform for observing security data. And you almost certainly have lots more security-related data that's not in Splunk. With Query, you can overcome that limitation: after a Splunk administrator installs the Query Federated Search app in Splunk, you can search Query-connected remote data even when it does not exist in the Splunk index.

The queryai command brings federated search results right into the Splunk UI, ready to leverage further with the Splunk Search Processing Language ( SPL). You can use your queryai search results in SPL searches, reporting, and dashboards. This powerful capability bypasses any need to index the data in Splunk.

In this way, Query Federated Search for Splunk lets you access, search, and use all of your cybersecurity data directly from the Splunk console or dashboard - no matter the data repository’s vendor, technology, or location.

If you are hungry for even more data, Administrators can connect Query to additional data sources in minutes.

Query Search Results in Splunk

To help you visualize, if you were to run a search from Splunk to fetch everything related to an IP address, your result set would include all associated events, devices, user information, and any other related records contained in your Query platform integrations.

Screenshot of Splunk app search results

How the Query Splunk App Works

Click here to see the Query architecture page, which offers a diagram showing how your searches from Splunk are run against Query-connected repositories by acting as a client to Query.

Updated 29 days ago

What’s Next

Read on for more about how to Search with the Query Splunk app, or if it's not yet configured, how to set it up.