Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Need SailPoint data in Splunk
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SailPoint is our new Identity Governance application. I need to access SailPoint data from within Splunk. I'm not a Splunk admin at my company...but, I need to run searches that require data from SailPoint.
Is there a Splunk connector into SailPoint? or would the SailPoint admins just need to provide data flat files for the Splunk team to configure them as data inputs into Splunk?
TIA!
Trista
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk does not need a connector for SailPoint. Flat log files are easy to ingest in Splunk.
It is easiest if the log files
- are one-line-per-event OR have a clearly defined start/end for multi-line events
- have a timestamp for each event (even better if the timestamp includes the timezone)
You can also train Splunk to identify the fields within the log files, but that is not necessary to get started - you can do "field extraction" at any time. So there is no need for a connector or a schema in Splunk.
If you have the ability to configure how SailPoint writes the log files, take a look at this web page for even more advice about what makes a "good" log file:
Here is a great quote from a related page in the docs: "Splunk doesn't care about the format or schema of your data—queries and searches can be ad-hoc, and your data can come from any textual source. "
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can also leverage Splunk DB Connect - which is likely the preferred method to access this sort of data from SailPoint. SailPoint has a solution called "STI" or Simple Table Integration, ask your SailPoint SE for access to this SDK and it should allow you to set up an intermediate database and service that talks to SailPoint IdentityIQ for you. From there Splunk DB Connect can talk to this intermediate database so you can report on SailPoint information.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk does not need a connector for SailPoint. Flat log files are easy to ingest in Splunk.
It is easiest if the log files
- are one-line-per-event OR have a clearly defined start/end for multi-line events
- have a timestamp for each event (even better if the timestamp includes the timezone)
You can also train Splunk to identify the fields within the log files, but that is not necessary to get started - you can do "field extraction" at any time. So there is no need for a connector or a schema in Splunk.
If you have the ability to configure how SailPoint writes the log files, take a look at this web page for even more advice about what makes a "good" log file:
Here is a great quote from a related page in the docs: "Splunk doesn't care about the format or schema of your data—queries and searches can be ad-hoc, and your data can come from any textual source. "
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
