chainkit-splunk

Overview

This is a Chainkit app for Splunk Enterpirse. The app montiors and detects indexed logs on Splunk whether logs get tampered or not.

Dependencies

• Splunk Enterprise 8.0+
• Splunk Add-on Builder 3.0.1
• Supported on Windows, Linux, MacOS, Solaris, FreeBSD, HP-UX, AIX

1) Install the Add-on Builder on Splunk Enterprise:

https://docs.splunk.com/Documentation/AddonBuilder/3.0.1/UserGuide/Installation

2) Download or clone chainkit-splunk and make a .tar file and import it on the Add-on

1. tar -czvf ${file_name}.tar.gz ${path}/-chainkit
2. Navigate to the Splunk Add-on Builder.
3. Click Import Project.

3) Add a Splunk Account

1. Go to Configuration in Chainkit App.
2. Add a Splunk Account; This account must have permission for accessing data that you need to export.

4) Create an input

• Interval: Set time Interval in seconds; this module will be run periodically with the given interval.
• Index: Set Index that you would like to store a chainkit result.
• Username/Password: This username/password must be generated by Chainkit.
• Storage: There are three types of storage depending on your chainkit plan: pencil, public, private
• API: Select either Register or Verify API.
• Query:
  1. For Register, a query is used for exporting logs that you would like to register.
  2. For Verify, a query is simple: search index=put the index you used for register API
• Earliest_time/Latest_time: These are a time bucket that retrives logs in the give time range.
• Global Account: Select the account that you set above.

Contact

This project was initiated by PencilDATA Inc.

Email

info@chainkit.com