Splunk App Setup and Administration

Query's Splunk App is simple to install and provides a plug-and-play integration with your security-relevant data sources.

Prerequisites

To learn more about Query, please refer to Welcome to Query!

Before getting started, make sure you or your administrator has connected Query to the data sources you'd like to have access to when using the Query Federated Search app.

Installation

  1. Contact Query Support for access to the Splunk App tarball, a Client ID and Client Secret. Once you have access to the app's tarball, continue to the next step.
  2. In your Splunk console, go to Apps -> Manage Apps (or click on the Setup wheel) -> Install app from file. Note that you will only see this option if you are an administrator in Splunk.
  3. Upload the tarball. You will be prompted to restart Splunk service.
  4. After restart, head back to Manage Apps, scroll down to the Query.AI app and click setup.

Setup

  1. The Client ID and Client Secret you received from Query Support are used to authenticate from the Splunk App to your Query tenant.
  2. Enter the values in the app's setup page.

Administration

Access

This app utilizes Splunk's secret storage for securely storing authentication credentials and tokens. Therefore, users must be assigned roles with the capabilities list_storage_passwords and edit_storage_passwords.

Adding and configuring data sources

Adding and configuring data sources is performed via Query's console at https://go.query.ai.

Support Assistance

Please reach out to Query Support if you need any assistance.