My DokuWiki

User Tools

Site Tools

Trace:
splunk_integration

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
splunk_integration [2022/11/19 01:07]
kaduuwikiadmin 		splunk_integration [2023/05/22 20:40] (current)
Line 3: Line 3:
 {{::1.png?400 |}} {{::1.png?400 |}}
  
-1. First of all, remember the hostname of your Splunk instance - it will be needed later when configuring Kaduu to send alerts to Splunk+1. First of all, remember the hostname of your Splunk Cloud instance - it will be needed later when configuring Kaduu to send alerts to Splunk. The hostname will be different from the one you see on the screenshot!
  
 2. Go to "Settings" -> "Data Inputs" 2. Go to "Settings" -> "Data Inputs"
Line 33: Line 33:
 {{::5.png?400 |}} {{::5.png?400 |}}
  
-8. Check all settings are valid on the Review page and hit next. Splunk will say that "Token has been created successfully" and show you a token, that you should copy and save it somewhere - it will be used on the next step+8. Check all settings are valid on the Review page and hit next. Splunk will say that "Token has been created successfully" and show you a token, that you should copy and save it somewhere - it will be used later when configuring everything from Kaduu
  
 ---- ----
  
-{{::6.png?400 |}}+{{::spl-7.png?400 |}}
  
-9. Configure your Kaduu account to send alerts over HTTP+9. Go to "Settings" -> "Source types"
  
-10. Enter webhook URL in this form: [[https://<host>.splunkcloud.com:8088/services/collector/event?token=<token>|https://<host>.splunkcloud.com:8088/services/collector/event?token=<token>]], where <host> is the hostname of your Splunk instance and <token> is the token you copied on the previous step+---- 
 + 
 +{{::spl-8.png?400 |}} 
 + 
 +10. Click "New Source Type" green button on the right 
 + 
 +---- 
 + 
 +{{::spl-9.png?400 |}} 
 + 
 +11. Name the source as “Kaduu”, make sure “Destination app” has “Search & Reporting”, in “Indexed extractions” choose “json”, then click “Advanced” tab 
 + 
 +---- 
 + 
 +{{::spl-10.png?400 |}} 
 + 
 +12.  On the Advanced tab you have to add 4 new entries (click “New setting” link below the list each time): 
 +  * ''BREAK_ONLY_BEFORE'', value:  ''(\{|\[\s+{)'' 
 +  * ''LINE_BREAKER'', value:  ''(\{|\[\s+{)'' 
 +  * ''MUST_BREAK_AFTER'', value:  ''(\}|\}\s+\])'' 
 +  * ''TIME_PREFIX'', value:  ''\"createdAt\":\"'' 
 + 
 +---- 
 + 
 +{{::spl-11.png?400 |}} 
 + 
 +13. Then go to main menu, to "Settings" -> "Data inputs" -> "HTTP Event Collector" (we created it before) -> "Edit". You will see this form. Choose “Set Source Type” to “Entered sourcetype”, and “Source type” field - enter “Kaduu” in the dropdown. Others fields should be the same, hit "Save"
 + 
 +---- 
 + 
 +{{::spl-12.png?400 |}} 
 + 
 +14. Configure your Kaduu account to send alerts over HTTP 
 + 
 +15. Enter webhook URL in this form: [[https://<host>.splunkcloud.com:8088/services/collector/raw?token=<token>|https://<host>.splunkcloud.com:8088/services/collector/raw?token=<token>]], where <host> is the hostname of your Splunk instance and <token> is the token you copied on the previous step 
 + 
 +---- 
 + 
 +{{::spl-13.png?400 |}} 
 + 
 +16. Hit "Save" and wait for new alert events to arrive to your Splunk instance
  
-11Hit "Save" and wait for new alert events to arrive to your Splunk instance+17Warning! If you are not using the Cloud edition of Splunk (that is, it doesn't have splunkcloud.com in URL), please make sure you enable the Query String authentication in your Splunk settings.
splunk_integration.1668816478.txt.gz · Last modified: 2023/05/22 20:40 (external edit)

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki