https://community.splunk.com/t5/Getting-Data-In/Need-SailPoint-data-in-Splunk/m-p/261507#M50206 <P>SailPoint is our new Identity Governance application. I need to access SailPoint data from within Splunk. I'm not a Splunk admin at my company...but, I need to run searches that require data from SailPoint.</P> <P>Is there a Splunk connector into SailPoint? or would the SailPoint admins just need to provide data flat files for the Splunk team to configure them as data inputs into Splunk?</P> <P>TIA!<BR /> Trista</P> Thu, 24 Mar 2016 18:52:24 GMT tmaltizo 2016-03-24T18:52:24Z https://community.splunk.com/t5/Getting-Data-In/Need-SailPoint-data-in-Splunk/m-p/261507#M50206 <P>SailPoint is our new Identity Governance application. I need to access SailPoint data from within Splunk. I'm not a Splunk admin at my company...but, I need to run searches that require data from SailPoint.</P> <P>Is there a Splunk connector into SailPoint? or would the SailPoint admins just need to provide data flat files for the Splunk team to configure them as data inputs into Splunk?</P> <P>TIA!<BR /> Trista</P> Thu, 24 Mar 2016 18:52:24 GMT https://community.splunk.com/t5/Getting-Data-In/Need-SailPoint-data-in-Splunk/m-p/261507#M50206 tmaltizo 2016-03-24T18:52:24Z https://community.splunk.com/t5/Getting-Data-In/Need-SailPoint-data-in-Splunk/m-p/261508#M50207 <P>Splunk does not need a connector for SailPoint. Flat log files are easy to ingest in Splunk. </P> <P>It is easiest if the log files<BR /> - are one-line-per-event OR have a clearly defined start/end for multi-line events<BR /> - have a timestamp for each event (even better if the timestamp includes the timezone)</P> <P>You can also train Splunk to identify the fields within the log files, but that is <EM>not</EM> necessary to get started - you can do "field extraction" at any time. So there is no need for a connector or a schema in Splunk.</P> <P>If you have the ability to configure how SailPoint writes the log files, take a look at this web page for even more advice about what makes a "good" log file:</P> <P><A href="http://dev.splunk.com/view/logging-best-practices/SP-CAAADP6">Logging Best Practices</A></P> <P>Here is a great quote from a related page in the docs: "Splunk doesn't care about the format or schema of your data—queries and searches can be ad-hoc, and your data can come from any textual source. "</P> Mon, 28 Mar 2016 23:02:42 GMT https://community.splunk.com/t5/Getting-Data-In/Need-SailPoint-data-in-Splunk/m-p/261508#M50207 lguinn2 2016-03-28T23:02:42Z https://community.splunk.com/t5/Getting-Data-In/Need-SailPoint-data-in-Splunk/m-p/261509#M50208 <P>You can also leverage Splunk DB Connect - which is likely the preferred method to access this sort of data from SailPoint. SailPoint has a solution called "STI" or Simple Table Integration, ask your SailPoint SE for access to this SDK and it should allow you to set up an intermediate database and service that talks to SailPoint IdentityIQ for you. From there Splunk DB Connect can talk to this intermediate database so you can report on SailPoint information.</P> <P><A href="https://splunkbase.splunk.com/app/2686/">https://splunkbase.splunk.com/app/2686/</A></P> Mon, 28 Mar 2016 23:33:29 GMT https://community.splunk.com/t5/Getting-Data-In/Need-SailPoint-data-in-Splunk/m-p/261509#M50208 kchamplin_splun 2016-03-28T23:33:29Z