Guides

Splunk App Setup and Administration

Installing and Configuring the Query Federated Search Splunk App

Suggest Edits

📘

TL;DR Setting Up the Query Splunk App

The Query Federated Search Splunk app can be installed directly from its Splunkbase listing, or separately downloaded from the Query platform and then installed.

First, a Query Administrator should create a new Client ID and Client Secret in the Query Platform.

Next, a Splunk Administrator should install the Query Federated Search Splunk app in Splunk (using the uniquely-generated Client ID and Secret).

Thereafter, all Splunk users can search all Query-connected data repositories directly from Splunk!


Introduction

Setting up the Query Splunk app is quick and easy.

After a review of prerequisites, this page describes the two easy steps for how to set up the Query Federated Search Splunk app:

  1. A Query Administrator will generate a new Client ID and Client Secret for the new Splunk app instance.
  2. A Splunk Administrator will install the Query Splunk app in Splunk using the Client ID and Client Secret generated in Step 1 above.

Note: Our documentation assumes that you have the newest version of the Query Splunk app. While we try to maintain backward compatibility with older versions of the app, we strongly advise updating to the newest version as soon as possible. Please reach out to Query Support if you need assistance with upgrading, or need access to older documentation.

Prerequisites

  1. You must have administrative access or coordinate with a team member who has administrative access to the Query Federated Search platform. Note: Confirm that the Query administrator has added and configured some data sources in the Connections section of Query at https://go.query.ai.
  2. The Query Federated Search Splunk app relies on Splunk's secret storage mechanism for securely storing the client secret to authenticate to the Query platform. Therefore, to install and configure the Query Splunk app in Splunk you must be either a Splunk administrator or a user associated with Splunk roles that have these two capabilities:
    • list_storage_passwords and
    • edit_storage_passwords.

The Query app works in all Splunk environment types (Splunk Enterprise, Splunk Cloud Classic, and Splunk Cloud Victoria).

Generate a new Client ID

To support Splunk's communication as a client to the Query platform, a Query administrator must create a new Client ID and Client Secret for Splunk. This Client ID and Secret will be entered during configuration of the Query Federated Search Splunk app.

  1. If you are not already a registered Query administrative user, Register first from the Query login page (https://go.query.ai).

  2. Log in to Query as an administrative user. Generate a Client ID and Client Secret as described below:

    1. Click on the user icon at the bottom of the left navigation bar and go to Settings.
    2. Select your Organization and the desired team.
    3. Click on Integrations and then New Client to generate the Client ID and Secret. Save these in a secure place for use in the following steps.

Install and Configure the Query Splunk app

  1. Download and Install the Query app in Splunk:

    1. From Splunkbase - Go to the console of your Splunk search head and click on "Apps" -> "Find More Apps" to load the Splunkbase app store. Search for "Query Federated Search" to locate the Query App. Then just click on the "Install" button.
    2. Alternatively, Download the app from Query and Install: While logged into the Query platform Console, click on "Query Apps" in the left navigation bar and download the app from there. Next, log in to your Splunk console and go to "Apps" -> "Manage Apps" (or click on the Setup wheel). Then click the "Install App from File" button (visible to Splunk administrators only).

    Upgrading?
    If you are upgrading from a previous version, make sure to also check the "Upgrade app" checkbox in the above screen.

  2. Configure Query: In Splunk’s "Apps" -> "Manage Apps" section, scroll down to the Query app and click "Setup."

  3. Apply the Client ID: In the app Setup page, enter the Client ID and Client Secret that you generated and saved earlier. You are now done with setup.

Running in Clustered Search Head Environments

Splunk Cloud (Victoria / Classic) Cluster

Go to each node in the search head cluster and repeat the “Install and Configure” steps above.

Splunk Enterprise Cluster

You can go to each node in the search head cluster and repeat the “Install and Configure” steps above.

Alternatively, you can use Splunk Enterprise's deployer to propagate the configuration to all of your search heads. To do that, first place all configuration files in the
$SPLUNK_HOME/etc/shcluster/apps directory, and then use the splunk apply shcluster-bundle command to distribute your apps to all search heads.

Help & Support

Please reach out to Query Support at [email protected] or use the Chat function from the Query product interface if you need any assistance. Please provide this log file from your Splunk server: $SPLUNK_HOME/var/log/splunk/queryai_splunk_app.log

Updated 3 months ago

What’s Next

To learn more about the rest of the Query platform, please refer to our product documentation.