This app for Splunk connects to the Signal Sciences API in order to pull data into Splunk.
The latest version only supports using API Tokens.
Information about API Tokens can be found at https://docs.signalsciences.net/developer/using-our-api/
The Corp name and Dashboard Site names are in the URL for the dashboard. For example if we had a Corp Name of foo
and a Dashboard Site name of bar
we would see it like the following:
https://dashboard.signalsciences.net/corps/{CORP_NAME}/sites/{site_api_name}
You can also get the API Name for Dashboard Sites from the Manage Sites menu if you are a Corp Owner or Corp Admin. When logging into the Signal Sciences Dashboard you can go to Corp Tools
-> Manage Sites
and the lowercase name under the display name is the API Name.
The Technical Adapter does not create an index by default.
Once the Splunk App has been installed you will need to configure the shared settings and then the Modular Data inputs.
Log into your Splunk Web Portal
Select the sigsci_TA_for_splunk
Click on "Configuration"
Click on "Add-on Settings"
Fill in the Signal Sciences user (Email Address), Password or API Token, and the Singal Sicences corp name.
corp-abc
Click Save
Click on "Input"
Click on "Create New Input"
Chose either "Sigsci Requests" or "Sigsci Event"
Fill in the Input settings
default
app-prod
The new process for updating the App is to:
sigsci_TA_for_splunk_*_export.tgz
file in Data Input Properties These are general properties for the input
"Data Properties"
Property | Description |
---|---|
Source Type Name | The name of the input that will be used in searches. Can't be changed |
Input display name | The Display Name for the input |
Input Name | The API Name for the input |
Description | The description is optional |
Collection Interval | The frequency the Modular Input is executed by the Splunk Server |
Data Input Parameters These are properties for the specific Modular Input
"Data Parameters"
Property | Description |
---|---|
time_delta | The time delta in seconds used by the modular input |
site_api_name | For the non-corp API configurations (SigsciEvents and SigsciRequests) this is the Site API Name |
Add-on Setup Parameters
These are the global properties shared between all of the input types
"Global Properties"
Property | Description |
---|---|
The email for the API user to be used | |
corp_api_name | The API name for the corp to pull data from |
api_token | The API token for th account to pull data from |
Once Finished click Save and Finish
The Manage source Types is used to configure how the input parses different properties of what is returned. This is configured to be JSON with specific criteria to find the timestamp.
"Source Type Details"
Once you are done updating click save
Export App for using in a new Splunk App Builder
.tgz
file that you will need for importing on a new Splunk setup to use it in the App BuilderExport App to Submit to Splunk Base
.spl
file