Splunk App Setup and Administration

Suggest Edits

Query's Splunk App is simple to install and provides a plug-and-play integration with your security-relevant data sources.

Prerequisites

To learn more about Query, please refer to Welcome to Query!

Before getting started, make sure you or your administrator has connected Query to the data sources you'd like to have access to when using the Query Federated Search app.

Installation and Setup

  1. Register and login at https://go.query.ai.
  2. Generate a Client ID and Client Secret from https://go.query.ai by following these steps:
    1. Click on the user icon at the bottom of the left navigation bar and go to Settings
    2. Click on the Organization and select your desired team.
    3. Click on Integrations and then New Client to generate the Client ID and Secret. Save these into a secure place for use in the steps below.
  3. See the next section for steps custom to clustered environments. Otherwise, simply go to the console of your Splunk search head and click on Apps -> 'Find More Apps' to load the Splunkbase app-store. Search for 'Query Federated Search' to locate the Query App. Click on the install button (only available if you are an admin). Alternatively, if you are in Query Console, you can click on the Query Apps link in the left navigation bar and download the app from there.
  4. If you manually downloaded the app in the above step, Login to your Splunk console and go to Apps -> Manage Apps (or click on the Setup wheel). Then click the Install app from file button. Note that you will only see this option if you are an administrator in Splunk.

    1. 📘

      Upgrading?

      If you are upgrading from a previous version, make sure to also check the Upgrade app checkbox in the above screen.

  5. In the Apps -> Manage Apps section, scroll down to the Query app and click setup.
  6. In the app setup page, enter the Client ID and Client Secret you saved earlier. You are done with setup now.

Are you on a previous version of the app?

While we make our best effort to maintain backward compatibility with older versions of the app, we strongly advise to update to the newer version as soon as you can. Follow the installation and setup steps above that are relevant for upgrade scenarios as well.

Note that our app documentation assumes you are on the newest version of the app. Please reach out to Query Support if you need access to older documentation or need assistance with upgrade.

Have a search head cluster?

Splunk Cloud (Victoria / Classic) Cluster

Go to each node in the search head cluster and repeat all the step from step 3 onwards.

Splunk Enterprise Cluster

You can optionally go to each node in the search head cluster and repeat all the step from step 3 onwards.

Alternatively, you can use Splunk Enterprise's deployer to propagate configuration to all your search heads. To do that, you have to first place all configuration in $SPLUNK_HOME/etc/shcluster/apps directory and then use the splunk apply shcluster-bundle command to distribute your apps to all search heads.

Administration

Access

This app utilizes Splunk's secret storage for securely storing authentication credentials and tokens. Therefore, users must be assigned roles with the capabilities list_storage_passwords and edit_storage_passwords.

Adding and configuring data sources

Adding and configuring data sources is performed via Query's console at https://go.query.ai.

Support Assistance

Please reach out to [email protected] if you need any assistance. Please provide this log file from your Splunk server: $SPLUNK_HOME/var/log/splunk/queryai_splunk_app.log

Updated 4 days ago

What’s Next