Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk integration- Do I need to create an add on?

GuyCo
Observer
‎09-14-2022 01:06 AM

Hi to all. I'm working at a startup company providing security solutions.

I started research on how to integrate with Splunk, Splunk ES.

for now, we choose to use the HEC method for delivering the data into Splunk cloud.

I wanted to ask some questions. 

  1. do i need to create an add-on? 
  2. to integrate with Splunk SE what are the actions, I need to do?

I understand this is the flow of actions - 

  • load data using the HEC,
  • parse data normalizing them,
  • eventually, load data in Data Models,
  • if you don't load data In data Models, create your Correlation Searches using indexes.

I'll  be happy if someone will be able to elaborate more about each topic and tell me if something is missing.

 

 

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-14-2022 01:13 AM

Hi @GuyCo,

I supposed, in my previous answer, that the use of HEC is mandatory, but I hint to check if you can use Universal Forwarders that are more efficient and sure.

Anyway, you have to use Add-Ons to parse data.

usually Add-Ons are installed from Splunkbase so you'll haven't any conpliance problem, is instead you will use custom Add-Ons, they will be checked by Splunk.

About integration with ES, the steps are the ones I described in my previous answer:

  • parse data normalizing them (using the Add-On),
  • eventually, load data in Data Models,
  • if you don't load data In data Models, create your Correlation Searches using indexes.

Ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-14-2022 01:46 AM

Hi  @GuyCo ,

No parsing is done by the Add-Ons, infact ES installation best prectices hint to complete data ingestion, using Add-Ons, before ES installation.

ES is the SIEM, but the Data ingestion and normalization is done by the Add-Ons.

The only normalization that is done by ES is data loading in Data Models, that's done using the normalization done in Add-Ons.

In other words, if you don't make a correct parsing and normalization, ES cannot read your data and cannot load them in Data Models and cannot use them in Correlation searches.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...