Splunk
Import JupiterOne alert data to Splunk to view, query with J1QL, and link JupiterOne alerts from within Splunk.
- Installation guide
- Splunk data model
Installation
To configure JupiterOne with Splunk, you will first need to obtain your JupiterOne accountId and generate an API Key in JupiterOne:
- Generate your API Key: Create your API Key by following instructions on our API Key Access guide.
- Obtaining your JupiterOne
accountId: Excute this query within the JupiterOne search on the app's home view:find jupiterone_account. The results column will display the value within theaccountIdcolumn.
Add JupiterOne to Splunk
With both the API Key and accountId from JupiterOne, proceed to Splunk to add JupiterOne to your Splunk workspace. This can be done either by:
Installing the JupiterOne app directly from the Splunk dashboard:
- On the Splunk home dashboard, use the Find More Apps link to find and install the JupiterOne Add-on and the JupiterOne app.
Downloading the JupiterOne add-on and app package from the Splunkbase marketplace:
- In Splunk navigate to Apps > Manage Apps by clicking the gear icon in the upper-left corner.
- Select Install app from file in the top-right.
- Choose File and select the JupiterOne add-on package or app package.
- Click Upload and follow the prompts to complete the process.
Configure the JupiterOne Add-on in Splunk
Now that JupiterOne has been added to Splunk, the last step is to finalize the configuration and input your JupiterOne credentials.
- In Splunk, navigate to the JupiterOne Add-on for Splunk, and click Configuration.
- Click Add to create a new JupiterOne account configuration on the add-on.
- Enter your JupiterOne Account Name,
accountId, and API Key. Click Add when finished.- Optional: You can add a proxy under the Proxy tab, or change the log level on the Logging tab. By default the log level is
INFO.
- Optional: You can add a proxy under the Proxy tab, or change the log level on the Logging tab. By default the log level is
- Next, go to the Inputs tab, and choose Create New Input.
- Enter the desired values for the input, and press Add once done.
This concludes the setup for the Add-on. With the Add-on configured, the JupiterOne app within Splunk will start working without additional setup.
Data Model
Entities
| Field Name | Field Description |
|---|---|
Name* | Unique name for the data input. |
Interval* | Time interval of input in seconds. How often JupiterOne collects the data. |
Index* | Index where data is stored. |
JupiterOne Account* | Account that was configured in the Configuration tab. |
Pull Alert Related Objects | If enabled, pulls data for entities in Alert. |
Start DateTime | Date in UTC when you want to start collecting data. Default is 30 days in the past. |
* Denotes required fields