Splunk App Setup and Administration
Query's Splunk App is simple to install and provides a plug-and-play integration with your security-relevant data sources.
Prerequisites
To learn more about Query, please refer to Welcome to Query!
Before getting started, make sure you or your administrator has connected Query to the data sources you'd like to have access to when using the Query Federated Search app.
Installation and Setup
- Register and login at https://go.query.ai.
- Click on the Application link in the left navigation bar, and you will see the option to download the Splunk App. Download from there.
- Generate a Client ID and Client Secret from https://go.query.ai by following these steps:
- Click on the user icon at the bottom of the left navigation bar and go to Settings
- Click on the Organization and select your desired team.
- Click on Integrations and then New Client to generate the Client ID and Secret.
- Login to your Splunk console and go to Apps -> Manage Apps (or click on the Setup wheel). Then click the Install app from file button. Note that you will only see this option if you are an administrator in Splunk.
- Upload the above downloaded application. You will be prompted to restart Splunk service.
- After restart, head back to Manage Apps, scroll down to the Query app and click setup.
- Enter the above Client ID and Client Secret in the Splunk App's setup page.
Administration
Access
This app utilizes Splunk's secret storage for securely storing authentication credentials and tokens. Therefore, users must be assigned roles with the capabilities list_storage_passwords
and edit_storage_passwords
.
Adding and configuring data sources
Adding and configuring data sources is performed via Query's console at https://go.query.ai.
Support Assistance
Please reach out to Query Support if you need any assistance. Please provide this log file from your Splunk server: $SPLUNK_HOME/var/log/splunk/queryai_splunk_app.log
Updated 3 months ago