Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk integration- Do I need to create an add on?

GuyCo
Observer
‎09-14-2022 01:06 AM

Hi to all. I'm working at a startup company providing security solutions.

I started research on how to integrate with Splunk, Splunk ES.

for now, we choose to use the HEC method for delivering the data into Splunk cloud.

I wanted to ask some questions. 

  1. do i need to create an add-on? 
  2. to integrate with Splunk SE what are the actions, I need to do?

I understand this is the flow of actions - 

  • load data using the HEC,
  • parse data normalizing them,
  • eventually, load data in Data Models,
  • if you don't load data In data Models, create your Correlation Searches using indexes.

I'll  be happy if someone will be able to elaborate more about each topic and tell me if something is missing.

 

 

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-14-2022 01:13 AM

Hi @GuyCo,

I supposed, in my previous answer, that the use of HEC is mandatory, but I hint to check if you can use Universal Forwarders that are more efficient and sure.

Anyway, you have to use Add-Ons to parse data.

usually Add-Ons are installed from Splunkbase so you'll haven't any conpliance problem, is instead you will use custom Add-Ons, they will be checked by Splunk.

About integration with ES, the steps are the ones I described in my previous answer:

  • parse data normalizing them (using the Add-On),
  • eventually, load data in Data Models,
  • if you don't load data In data Models, create your Correlation Searches using indexes.

Ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-14-2022 01:46 AM

Hi  @GuyCo ,

No parsing is done by the Add-Ons, infact ES installation best prectices hint to complete data ingestion, using Add-Ons, before ES installation.

ES is the SIEM, but the Data ingestion and normalization is done by the Add-Ons.

The only normalization that is done by ES is data loading in Data Models, that's done using the normalization done in Add-Ons.

In other words, if you don't make a correct parsing and normalization, ES cannot read your data and cannot load them in Data Models and cannot use them in Correlation searches.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...