Splunk App Setup and Administration
Installing and Configuring the Query Federated Search Splunk App
TL;DR Setting Up the Query Splunk App
The Query Federated Search Splunk app can be installed directly from its Splunkbase listing, or separately downloaded from the Query platform and then installed.
First, a Splunk admin should create a user role for Query app users with the
list_storage_passwords
capability.Second, a Query Administrator should create a new API access key in the Query Platform.
Third, install the Query Federated Search Splunk app in Splunk (using the uniquely-generated API key).
Thereafter, Splunk users with above role can search all Query-connected data repositories directly from Splunk!
Introduction
The Query app works in all Splunk environment types - Splunk Enterprise, Splunk Cloud Classic, and Splunk Cloud Victoria. Setting up the Query Splunk app is quick and easy.
After a review of prerequisites, this page describes the two easy steps for how to set up the Query Federated Search Splunk app:
- A Query Administrator will generate a new API key for the new Splunk app instance.
- A Splunk Administrator will install the Query Splunk app in Splunk using the API key generated in Step 1 above.
Note: Our documentation assumes that you have the newest version of the Query Splunk app. While we try to maintain backward compatibility with older versions of the app, we strongly advise updating to the newest version as soon as possible. Please reach out to Query Support if you need assistance with upgrading, or need access to older documentation.
Setup Required Roles
- Query Access to generate API Key: To install and configure the app, you must have administrative access (or coordinate with a team member who has administrative access) to generate API key in the Query platform. Note: Confirm that the Query administrator has added and configured some data sources in the Connections section of Query at https://go.query.ai.
- Splunk Access to setup App: The Query Federated Search Splunk app relies on Splunk's secret storage mechanism for securely storing the Query API key to authenticate to the Query platform. Therefore, to install and configure the Query Splunk app in Splunk you must be either have the Splunk admin role or another role that specifically gives you these two capabilities to securely store the API key:
list_storage_passwords
andedit_storage_passwords
- Splunk User access to use App: The user who need to be authorized to run federated searches from Splunk, at a minimum must have the
list_storage_passwords
capability. (This is needed so that their searches can retrieve the above stored API key and authenticate to the Query platform.) If you don't have an suitable existing role, you may just want to create a new role inherited from the user role, and addlist_storage_passwords
to it.
NOTE: Above approach is Splunk Cloud Platform's required approach of how API keys should be encrypted, securely stored, and accessed. (For additional considerations, please review https://dev.splunk.com/enterprise/docs/developapps/manageknowledge/secretstorage/#How-secure-secret-storage-works.) The Splunk admin can audit and review what items are in their secret store by running | rest /services/storage/passwords
and give the list_storage_passwords
capability only to approved users via a role.
Generate a new API Key
To support Splunk's communication as a client to the Query platform, a Query administrator must create a new API key for Splunk. This API key will be entered during configuration of the Query Federated Search Splunk app.
-
If you are not already a registered Query administrative user, register first from the Query login page (https://go.query.ai).
-
Log in to Query as an administrative user. Generate a new API key as described below:
- Click on the Settings icon at the bottom of the left navigation bar and go to Settings.
- Click on the Organization section and click further to select the desired team.
- Click on Integrations and then click the 'Create' button to generate the API Key. Save it in a secure place for use in the following steps.
Upgrading Query Splunk App from a previous version?
Skip ahead to the Install and Configure the Query Splunk app section and make sure to check the "Upgrade app" checkbox during the installation step.
Install and Configure the Query Splunk app
-
Download and Install the Query app in Splunk:
- From Splunkbase - Go to the console of your Splunk search head and click on "Apps" -> "Find More Apps" to load the Splunkbase app store. Search for "Query Federated Search" to locate the Query App. Then just click on the "Install" button.
- Alternatively, Download the app from Query and Install: While logged into the Query platform Console, click on "Query Apps" in the left navigation bar and download the app from there. Next, log in to your Splunk console and go to "Apps" -> "Manage Apps" (or click on the Setup wheel). Then click the "Install App from File" button (visible to Splunk administrators only).
-
If this was an upgrade from a previous version, go to this URL
https://<my-splunk-host>:<port>/<locale_string>/_bump
(locale_string would been-US
or equivalent, as you see in your Splunk URL). You will see aBump
button that you should click on. This is done to invalidate older versions' cached content. Go back to the Splunk console's home page and then do a refresh so that you don't have an old cache on your browser. -
Configure Query: In Splunk’s "Apps" -> "Manage Apps" section, scroll down to the Query app and click "Setup."
-
Enter and submit the API Key. If your environment is using a proxy for https connections, enter your https proxy URL. (NOTE: If proxy is not specific here, the app will pick https_proxy from splunk-launch.conf.) You are now done with setup.
Running in Clustered Search Head Environments?
Splunk Cloud (Victoria / Classic) Cluster
Go to each node in the search head cluster and repeat the “Install and Configure” steps above.
Splunk Enterprise Cluster
You can go to each node in the search head cluster and repeat the “Install and Configure” steps above.
Alternatively, you can use Splunk Enterprise's deployer to propagate the configuration to all of your search heads. To do that, first place all configuration files in the
$SPLUNK_HOME/etc/shcluster/apps
directory, and then use the splunk apply shcluster-bundle
command to distribute your apps to all search heads.
Help & Support
Please reach out to Query Support at [email protected] or use the Chat function from the Query product interface if you need any assistance. Please provide this log file from your Splunk server: $SPLUNK_HOME/var/log/splunk/queryai_splunk_app.log
Updated 4 days ago
To learn more about the rest of the Query platform, please refer to our product documentation.