deductiv / export_everything

Export Everything Add-On for Splunk
Apache License 2.0
13 stars 6 forks source link
azure-storage bigdata box-cloud cribl s3 sftp smb splunk

App icon Export Everything - Splunk Add-On by Deductiv

This add-on exports your Splunk search results to remote destinations so you can do more with your Splunk data. It provides search commands and alert actions to export/push/upload/share your data to multiple destinations of each type. The app must be configured via the Setup dashboard before using it. The setup dashboard includes a connection test feature in the form of a "Browse" action for all file-based destinations.

Supported Export Formats

File-Based Destinations

Streaming Destinations

We offer paid Commercial Support for Export Everything and our other published Splunk apps using GitHub Sponsors or through a direct support agreement. Contact us for more information.

Free community support is also available, but not recommended for production use cases. In the event of an issue, email us and we'll help you sort it out. You can also reach the author on the Splunk Community Slack.

Features

We welcome your feature requests, which can be submitted as issues on GitHub. Paid support customers have priority feature requests.


Credential Management

Use the Credentials tab to manage usernames, passwords, and passphrases (used for private keys) within the Splunk secret store. Certain use cases (such as private key logins) may not require a password, but Splunk requires one to be entered anyway. For passphrases, type any description into the username field. OAuth credentials such as those for AWS use the username field for the access key and the password field for the secret access key. Due to the way Splunk manages credentials, the username field cannot be changed once it is saved.

Authorization via Capabilities

Add read capabilities for each command to users who require access to use the search command or alert action. Add write capability to allow them to make changes to the configuration. By default, admin/sc_admin has full access and power has read-only access. Credential permissions must be granted separately, but are required to use each command that depends on them.

Keywords for Output Filenames

All file-based destinations support keywords for the output filenames. The keywords have double underscores before and after. The keyword replacements are based on Python expressions, so we can add more as they are requested. Those currently available are shown below:
     __now__ = epoch
     __nowms__ = epoch value in milliseconds
     __nowft__ = timestamp in yyyy-mm-dd_hhmmss format
     __today__ = date in yyyy-mm-dd format
     __yesterday__ = yesterday's date in yyyy-mm-dd format

Common Arguments

The following arguments are common to all search commands in this app:

Export Splunk search results to AWS S3-compatible object storage. Connections can be configured to authenticate using OAuth credentials or the assumed role of the search head EC2 instance.

Capabilities

Search Command Syntax

<search> | epawss3  
        target=<target name/alias>  
        bucket=<bucket>  
        outputfile=<output path/filename>  
        outputformat=[json|raw|kv|csv|tsv|pipe]  
        fields="<comma-delimited fields list>"  
        blankfields=[true|false]  
        internalfields=[true|false]  
        datefields=[true|false]  
        compress=[true|false]  

Arguments


Azure Blob Storage Export (epazureblob)

Export Splunk search results to Azure Blob or Data Lake v2 object storage. Configure connections to authenticate using storage account keys or Azure Active Directory app credentials.

Capabilities

Search Command Syntax

<search> | epazureblob  
        target=<target name/alias>  
        container=<container name>  
        outputfile=<output path/filename>  
        outputformat=[json|raw|kv|csv|tsv|pipe]  
        fields="<comma-delimited fields list>"  
        blankfields=[true|false]  
        internalfields=[true|false]  
        datefields=[true|false]  
        compress=[true|false]  
        append=[true|false]  

Arguments


Box Export (epbox)

Export Splunk search results to Box cloud storage. Box must be configured with a Custom App using Server Authentication (with JWT) and a certificate generated. Then, the app must be submitted for approval by the administrator. The administrator should create a folder within the app's account and share it with the appropriate users.

Capabilities

Search Command Syntax

<search> | epbox  
        target=<target name/alias>  
        outputfile=<output path/filename>  
        outputformat=[json|raw|kv|csv|tsv|pipe]  
        fields="<comma-delimited fields list>"  
        blankfields=[true|false]  
        internalfields=[true|false]  
        datefields=[true|false]  
        compress=[true|false]  

SFTP Export (epsftp)

Export Splunk search results to SFTP servers.

Capabilities

Search Command Syntax

<search> | epsftp  
        target=<target name/alias>  
        outputfile=<output path/filename>  
        outputformat=[json|raw|kv|csv|tsv|pipe]  
        fields="<comma-delimited fields list>"  
        blankfields=[true|false]  
        internalfields=[true|false]  
        datefields=[true|false]  
        compress=[true|false]  

Windows/SMB Export (epsmb)

Export Splunk search results to SMB file shares.

Capabilities

Search Command Syntax

<search> | epsmb  
        target=<target name/alias>  
        outputfile=<output path/filename>  
        outputformat=[json|raw|kv|csv|tsv|pipe]  
        fields="<comma-delimited fields list>"  
        blankfields=[true|false]  
        internalfields=[true|false]  
        datefields=[true|false]  
        compress=[true|false]  

Splunk HEC Export (ephec)

Stream Splunk search results to a Splunk HTTP Event Collector (HEC) or Cribl Stream HEC endpoint.

Capabilities

Search Command Syntax

<search> | ephec  
        target=<target name/alias>  
        host=[host_value|$host_field$]  
        source=[source_value|$source_field$]  
        sourcetype=[sourcetype_value|$sourcetype_field$]  
        index=[index_value|$index_field$]  

Arguments


Binary File Declaration

The following binaries are written in C and required by multiple python modules used within this app:

Library Customization

The following binaries are customized within this app to conform to Splunk AppInspect requirements: