Skip to main content
Skip table of contents

Splunk

What is Splunk?

Splunk Enterprise is a software product that enables you to search, analyze, and visualize the data gathered from the components of your IT infrastructure or business. Splunk Enterprise takes in data from websites, applications, sensors, devices, and so on. After you define the data source, Splunk Enterprise indexes the data stream and parses it into a series of individual events that you can view and search.

Why Should You Use the Splunk Connector?

The Splunk connector provides visibility into the assets in your environment. You can use this visibility to:

  • ensure assets are managed per your security policies

  • derive relationships between assets, users, applications, and data

How Does This Connector Work?

Lucidum executes read-only requests to the Splunk REST API and ingests only meta-data about Splunk devices. Lucidum does not retrieve any data stored on your assets.

Configuring the Connector in Lucidum

Field

Description

Example

Profile Name

Name of this configuration

Lucidum connector

Splunk Host

The hostname of the server for Splunk.

lucidum.splunkcloud.com

Splunk Port

The port on the Splunk server. Default port is 389. Recommend using 8089.

8089

API Token

Optional. You can use user name and password or you can use an API Token. Both are not required.

API token for a Splunk account with read access, preferably with the Power User role.

************

Username

Optional. You can use user name and password or you can use an API Token. Both are not required.

User name for a Splunk account with read access, preferably with the Power User role.

 justynmutts

Password

Optional. You can use user name and password or you can use an API Token. Both are not required.

The password for the Splunk account, preferably with the Power User role.

************

Asset Data Index

Splunk index where asset data is stored.

devices

Asset Data Sourcetype

Specify the Splunk source types associated with asset data. To view all source types, go to Splunk Web > Settings > Source Types.

device_secure_logsource

Asset Data Query

Query, using Splunk Search Processing Language (SPL), to filter the list of assets.

type=hosts index=*

Asset Data Mapping

Maps field values from Splunk to the fields in the Lucidum Asset database.

Cloud_Account_ID->Asset_Name

User Data Index

Splunk index where user data is stored.

users

User Data Sourcetype

Specify the Splunk source type associated with user data. To view all source types, go to Splunk Web > Settings > Source Types.

user_secure_logsource

User Data Query

Query, using the Splunk Search Processing Language (SPL), to filter the list of assets.

index=* user=*

User Data Mapping

Maps field values from Splunk to fields in the Lucidum User database.

Owner_Email->Owner_Name

Asset Data Mapping

Lucidum has populated the Asset Data Mapping field with most commonly used Lucidum fields. The value on the right side of the mapping is the Lucidum field.

To create a mapping:

  1. You can map only the Lucidum fields (values to the right of ->) that are already included in the Asset Data Mapping field. Currently, uou cannot add new mappings.

  2. Put your cursor in the Asset Data Mapping field.

  3. Note the name of the Lucidum Field you want to map. Then delete it (garbage can icon).

  4. Enter

    “Splunk field name”->Lucidum field name.

    where:

    • “Splunk field name” is a field name used in Splunk Enterprise.

    • Lucidum_Field_Name is the name of the field in the Lucidum Asset database.

  5. Press Enter.

  6. The new mapping appears in the Asset Data Mapping field.

User Data Mapping

Lucidum has populated the User Data Mapping field with most commonly used Lucidum fields. The value on the right side of the mapping is the Lucidum field.

To create a mapping:

  1. You can map only the Lucidum fields (values to the right of ->) that are already included in the User Data Mapping field. Currently, you cannot add new mappings.

  2. Put your cursor in the User Data Mapping field.

  3. Note the name of the Lucidum Field you want to map. Then delete it (garbage can icon).

  4. Enter

    “Splunk field name”->Lucidum field name.

    where:

    • “Splunk field name” is a field name used in Splunk Enterprise.

    • Lucidum_Field_Name is the name of the field in the Lucidum Asset database.

  5. Press Enter.

  6. The new mapping appears in the User Data Mapping field.

Source Documentation

Creating Credentials

Contact your Lucidum Sales Representative for help with creating credentials.

  1. To create a new user with the required role, follow the tutorials in the official Splunk documentation below:

Required Permissions

This connector works best when you assign the built-in Power User role to the user name used for the connector.

Asset Data Query and User Data Query

https://docs.splunk.com/Documentation/SplunkCloud/9.1.2308/SearchReference/WhatsInThisManual

https://docs.splunk.com/Documentation/SplunkCloud/9.1.2308/Search/Usingthesearchassistant

API Documentation

https://docs.splunk.com/Documentation/Splunk/latest/RESTUM/RESTusing

https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTprolog

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.