Differences

This shows you the differences between two versions of the page.

--- splunk_integration [2022/11/19 01:02]
kaduuwikiadmin created
+++ splunk_integration [2023/05/22 20:40] (current)
@@ Line 3: / Line 3: @@
 {{::1.png?400 |}}
-. First of all, remember the hostname of your Splunk instance - it will be needed later when configuring Kaduu to send alerts to Splunk
+. First of all, remember the hostname of your Splunk Cloud instance - it will be needed later when configuring Kaduu to send alerts to Splunk. The hostname will be different from the one you see on the screenshot!
 . Go to "Settings" -> "Data Inputs"
+----
 {{::2.png?400 |}}
 . Add a new HTTP Event Collector by clicking the "Add New" link
+----
 {{::3.png?400 |}}
 . Put any name for that collector and hit "Next"
+----
 {{::4.png?400 |}}
@@ Line 22: / Line 28: @@
 . Hit "Review"
+----
 {{::5.png?400 |}}
-. Check all settings are valid on the Review page and hit next. Splunk will say that "Token has been created successfully" and show you a token, that you should copy and save it somewhere - it will be used on the next step
+. Check all settings are valid on the Review page and hit next. Splunk will say that "Token has been created successfully" and show you a token, that you should copy and save it somewhere - it will be used later when configuring everything from Kaduu
+----
+{{::spl-7.png?400 |}}
+. Go to "Settings" -> "Source types"
+----
+{{::spl-8.png?400 |}}
+. Click "New Source Type" green button on the right
+----
+{{::spl-9.png?400 |}}
+. Name the source as “Kaduu”, make sure “Destination app” has “Search & Reporting”, in “Indexed extractions” choose “json”, then click “Advanced” tab
+----
+{{::spl-10.png?400 |}}
+.  On the Advanced tab you have to add 4 new entries (click “New setting” link below the list each time):
+  * ''BREAK_ONLY_BEFORE'', value:  ''(\{|\[\s+{)''
+  * ''LINE_BREAKER'', value:  ''(\{|\[\s+{)''
+  * ''MUST_BREAK_AFTER'', value:  ''(\}|\}\s+\])''
+  * ''TIME_PREFIX'', value:  ''\"createdAt\":\"''
+----
+{{::spl-11.png?400 |}}
+. Then go to main menu, to "Settings" -> "Data inputs" -> "HTTP Event Collector" (we created it before) -> "Edit". You will see this form. Choose “Set Source Type” to “Entered sourcetype”, and “Source type” field - enter “Kaduu” in the dropdown. Others fields should be the same, hit "Save".
+----
+{{::spl-12.png?400 |}}
+. Configure your Kaduu account to send alerts over HTTP
+. Enter webhook URL in this form: [[https://<host>.splunkcloud.com:8088/services/collector/raw?token=<token>|https://<host>.splunkcloud.com:8088/services/collector/raw?token=<token>]], where <host> is the hostname of your Splunk instance and <token> is the token you copied on the previous step
-{{::6.png?400 |}}
+----
-. Configure your Kaduu account to send alerts over HTTP
+{{::spl-13.png?400 |}}
-. Enter webhook URL in this form: https://<host>.splunkcloud.com:8088/services/collector/event?token=<token>, where <host> is the hostname of your Splunk instance and <token> is the token you copied on the previous step
+. Hit "Save" and wait for new alert events to arrive to your Splunk instance
-. Hit "Save" and wait for new alert events to arrive to your Splunk instance
+. Warning! If you are not using the Cloud edition of Splunk (that is, it doesn't have splunkcloud.com in URL), please make sure you enable the Query String authentication in your Splunk settings.

My DokuWiki

User Tools

Site Tools

Differences

Page Tools