Splunk App Setup and Administration

Installing and Configuring the Query Federated Search Splunk App

📘

TL;DR Setting Up the Query Splunk App

The Query Federated Search Splunk app can be installed directly from its Splunkbase listing, or separately downloaded from the Query platform and then installed.

First, a Query Administrator should create a new API access key in the Query Platform.

Next, a Splunk Administrator should install the Query Federated Search Splunk app in Splunk (using the uniquely-generated API key).

Thereafter, all Splunk users can search all Query-connected data repositories directly from Splunk!


Introduction

The Query app works in all Splunk environment types - Splunk Enterprise, Splunk Cloud Classic, and Splunk Cloud Victoria. Setting up the Query Splunk app is quick and easy.

After a review of prerequisites, this page describes the two easy steps for how to set up the Query Federated Search Splunk app:

  1. A Query Administrator will generate a new API key for the new Splunk app instance.
  2. A Splunk Administrator will install the Query Splunk app in Splunk using the API key generated in Step 1 above.

Note: Our documentation assumes that you have the newest version of the Query Splunk app. While we try to maintain backward compatibility with older versions of the app, we strongly advise updating to the newest version as soon as possible. Please reach out to Query Support if you need assistance with upgrading, or need access to older documentation.

Required Privileges

  1. Query Access to generate API Key: To install and configure the app, you must have administrative access (or coordinate with a team member who has administrative access) to generate API key in the Query platform. Note: Confirm that the Query administrator has added and configured some data sources in the Connections section of Query at https://go.query.ai.
  2. Splunk Access to setup App: The Query Federated Search Splunk app relies on Splunk's secret storage mechanism for securely storing the Query API key to authenticate to the Query platform. Therefore, to install and configure the Query Splunk app in Splunk you must be either a Splunk administrator or a user associated with Splunk roles that have these two capabilities to securely store the API key:
    • list_storage_passwords and
    • edit_storage_passwords.
  3. Splunk User access to use App: The user wanting to run federated searches from Splunk, at a minimum must have the role list_storage_passwords so that searches can authenticate to the Query platform.

Generate a new API Key

To support Splunk's communication as a client to the Query platform, a Query administrator must create a new API key for Splunk. This API key will be entered during configuration of the Query Federated Search Splunk app.

  1. If you are not already a registered Query administrative user, Register first from the Query login page (https://go.query.ai).

  2. Log in to Query as an administrative user. Generate a new API key as described below:

    1. Click on the Settings icon at the bottom of the left navigation bar and go to Settings.
    2. Click on the Organization section and click further to select the desired team.
    3. Click on Integrations and then click the 'Create' button to generate the API Key. Save it in a secure place for use in the following steps.

Upgrading Query Splunk App from a previous version

Skip ahead to the Install and Configure the Query Splunk app section and make sure to check the "Upgrade app" checkbox during the installation step.

Install and Configure the Query Splunk app

  1. Download and Install the Query app in Splunk:

    1. From Splunkbase - Go to the console of your Splunk search head and click on "Apps" -> "Find More Apps" to load the Splunkbase app store. Search for "Query Federated Search" to locate the Query App. Then just click on the "Install" button.
    2. Alternatively, Download the app from Query and Install: While logged into the Query platform Console, click on "Query Apps" in the left navigation bar and download the app from there. Next, log in to your Splunk console and go to "Apps" -> "Manage Apps" (or click on the Setup wheel). Then click the "Install App from File" button (visible to Splunk administrators only).
  2. If this was an upgrade from a previous version, go to this URL https://<splunk-host>:<port>/<locale_string>/_bump and click on Bump version. <locale_string> would be en-US or equivalent, as you see in your Splunk URL.

  3. Configure Query: In Splunk’s "Apps" -> "Manage Apps" section, scroll down to the Query app and click "Setup."

  4. Enter and submit the API Key. If your environment is using a proxy for https connections, enter your https proxy URL. (NOTE: If proxy is not specific here, the app will pick https_proxy from splunk-launch.conf.) You are now done with setup.

Running in Clustered Search Head Environments

Splunk Cloud (Victoria / Classic) Cluster

Go to each node in the search head cluster and repeat the “Install and Configure” steps above.

Splunk Enterprise Cluster

You can go to each node in the search head cluster and repeat the “Install and Configure” steps above.

Alternatively, you can use Splunk Enterprise's deployer to propagate the configuration to all of your search heads. To do that, first place all configuration files in the
$SPLUNK_HOME/etc/shcluster/apps directory, and then use the splunk apply shcluster-bundle command to distribute your apps to all search heads.

Help & Support

Please reach out to Query Support at [email protected] or use the Chat function from the Query product interface if you need any assistance. Please provide this log file from your Splunk server: $SPLUNK_HOME/var/log/splunk/queryai_splunk_app.log


What’s Next

To learn more about the rest of the Query platform, please refer to our product documentation.