What is Splunk? #
Splunk Enterprise is a software product that enables you to search, analyze, and visualize the data gathered from the components of your IT infrastructure or business. Splunk Enterprise takes in data from websites, applications, sensors, devices, and so on. After you define the data source, Splunk Enterprise indexes the data stream and parses it into a series of individual events that you can view and search.
Why Should You Use the Splunk Connector? #
The Splunk connector provides visibility into the assets in your environment. You can use this visibility to:
-
ensure assets are managed per your security policies
-
derive relationships between assets, users, applications, and data
How Does This Connector Work? #
Lucidum executes read-only requests to the Splunk REST API and ingests only meta-data about Splunk devices. Lucidum does not retrieve any data stored on your assets.
Configuring the Connector in Lucidum #
|
Field |
Description |
Example |
|---|---|---|
|
Profile Name |
Name of this configuration |
Lucidum connector |
|
Splunk Host |
The hostname of the server for Splunk. |
lucidum.splunkcloud.com |
|
Splunk Port |
The port on the Splunk server. Default port is 389. Recommend using 8089. |
8089 |
|
API Token |
Optional. You can use user name and password or you can use an API Token. Both are not required. API token for a Splunk account with read access, preferably with the Power User role. |
************ |
|
Username |
Optional. You can use user name and password or you can use an API Token. Both are not required. User name for a Splunk account with read access, preferably with the Power User role. |
justynmutts |
|
Password |
Optional. You can use user name and password or you can use an API Token. Both are not required. The password for the Splunk account, preferably with the Power User role. |
************ |
|
Asset Data Index |
Splunk index where asset data is stored. |
devices |
|
Asset Data Sourcetype |
Specify the Splunk source types associated with asset data. To view all source types, go to Splunk Web > Settings > Source Types. |
device_secure_logsource |
|
Asset Data Query |
Query, using Splunk Search Processing Language (SPL), to filter the list of assets. |
type=hosts index=* |
|
Asset Data Mapping |
Maps field values from Splunk to the fields in the Lucidum Asset database. |
Cloud_Account_ID->Asset_Name |
|
User Data Index |
Splunk index where user data is stored. |
users |
|
User Data Sourcetype |
Specify the Splunk source type associated with user data. To view all source types, go to Splunk Web > Settings > Source Types. |
user_secure_logsource |
|
User Data Query |
Query, using the Splunk Search Processing Language (SPL), to filter the list of assets. |
index=* user=* |
|
User Data Mapping |
Maps field values from Splunk to fields in the Lucidum User database. |
Owner_Email->Owner_Name |
Asset Data Mapping #
Lucidum has populated the Asset Data Mapping field with most commonly used Lucidum fields. The value on the right side of the mapping is the Lucidum field.
To create a mapping:
-
You can map only the Lucidum fields (values to the right of ->) that are already included in the Asset Data Mapping field. Currently, uou cannot add new mappings.
-
Put your cursor in the Asset Data Mapping field.
-
Note the name of the Lucidum Field you want to map. Then delete it (garbage can icon).
-
Enter
“Splunk field name”->Lucidum field name.where:
-
“Splunk field name” is a field name used in Splunk Enterprise.
-
Lucidum_Field_Name is the name of the field in the Lucidum Asset database.
-
-
Press Enter.
-
The new mapping appears in the Asset Data Mapping field.
User Data Mapping #
Lucidum has populated the User Data Mapping field with most commonly used Lucidum fields. The value on the right side of the mapping is the Lucidum field.
To create a mapping:
-
You can map only the Lucidum fields (values to the right of ->) that are already included in the User Data Mapping field. Currently, you cannot add new mappings.
-
Put your cursor in the User Data Mapping field.
-
Note the name of the Lucidum Field you want to map. Then delete it (garbage can icon).
-
Enter
“Splunk field name”->Lucidum field name.where:
-
“Splunk field name” is a field name used in Splunk Enterprise.
-
Lucidum_Field_Name is the name of the field in the Lucidum Asset database.
-
-
Press Enter.
-
The new mapping appears in the User Data Mapping field.
Source Documentation #
Creating Credentials #
Contact your Lucidum Sales Representative for help with creating credentials.
-
To create a new user with the required role, follow the tutorials in the official Splunk documentation below:
Required Permissions #
This connector works best when you assign the built-in Power User role to the user account aligned with the the Lucidum connector.
Asset Data Query and User Data Query #
https://docs.splunk.com/Documentation/SplunkCloud/9.1.2308/SearchReference/WhatsInThisManual
https://docs.splunk.com/Documentation/SplunkCloud/9.1.2308/Search/Usingthesearchassistant
API Documentation #
https://docs.splunk.com/Documentation/Splunk/latest/RESTUM/RESTusing
https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTprolog
