Splunk

The Splunk data exporter allows you to send InsightIDR alert data and alert user statistics to Splunk to be recorded and analyzed.

Want to explore more options for exporting data to Splunk?

If you have a license for InsightConnect, you can configure workflows to export data to Splunk.

To set up Splunk:

  1. Read the requirements and complete any prerequisite steps.
  2. Configure Splunk to collect data to InsightIDR.
  3. Configure InsightIDR to send data from the data exporter.
  4. Test the configuration.

Requirements

Ensure that your system meets the following requirements:

  1. You must have a license for Splunk.
  2. You must configure the Splunk inputs.config file.

Configure Splunk to collect data from InsightIDR

To configure Splunk to collect data from InsightIDR, you must configure the inputs.config file. To do so, follow Splunk's documentation: https://docs.splunk.com/Documentation/SplunkCloud/9.0.2305/Data/Monitornetworkports

Configure InsightIDR to send data to the data exporter

After you complete the prerequisite steps and configure the data exporter to collect data, you must add the data exporter in InsightIDR.

To configure the new data exporter in InsightIDR:

  1. From the left menu, go to Data Collection and click Data Exporters.
  2. Click Add Data Exporter.
  3. Select Splunk as the Data Exporter Type.
  4. Name the data exporter.
  5. Select a collector.
  6. In the Hostname field, enter the FQDN or the IP address of the machine that hosts your Splunk configuration.
  7. In the Port field, enter the TCP port that Splunk will use to accept logs from InsightIDR.
  8. Select the Data Export Types that you want to retrieve from the InsightIDR logs.
  9. Click the Save button.

Test the configuration

To test the configuration, search within Splunk to validate whether the InsightIDR data is being received.