SailPoint is our new Identity Governance application. I need to access SailPoint data from within Splunk. I'm not a Splunk admin at my company...but, I need to run searches that require data from SailPoint.
Is there a Splunk connector into SailPoint? or would the SailPoint admins just need to provide data flat files for the Splunk team to configure them as data inputs into Splunk?
Splunk does not need a connector for SailPoint. Flat log files are easy to ingest in Splunk.
It is easiest if the log files
- are one-line-per-event OR have a clearly defined start/end for multi-line events
- have a timestamp for each event (even better if the timestamp includes the timezone)
You can also train Splunk to identify the fields within the log files, but that is not necessary to get started - you can do "field extraction" at any time. So there is no need for a connector or a schema in Splunk.
If you have the ability to configure how SailPoint writes the log files, take a look at this web page for even more advice about what makes a "good" log file:
Here is a great quote from a related page in the docs: "Splunk doesn't care about the format or schema of your data—queries and searches can be ad-hoc, and your data can come from any textual source. "
You can also leverage Splunk DB Connect - which is likely the preferred method to access this sort of data from SailPoint. SailPoint has a solution called "STI" or Simple Table Integration, ask your SailPoint SE for access to this SDK and it should allow you to set up an intermediate database and service that talks to SailPoint IdentityIQ for you. From there Splunk DB Connect can talk to this intermediate database so you can report on SailPoint information.