- Print
- DarkLight
To send data from LimaCharlie to Splunk, you will need to configure an Output.
Watch the webinar recording to learn about using LimaCharlie to reduce spending on Splunk and other high-cost security data solutions.
To send data from LimaCharlie to Splunk, you will need to configure an Output.
Splunk Setup
Follow Splunk's guide to set up an HEC, and as you do, set the Source type to _json
.
LimaCharlie Setup
From the Outputs view, click Add Output
.
Choose the type of stream you want to output from LimaCharlie.
Set Webhook
or Webhook Bulk
as a destination.
Enter the output name.
Enter the correct HEC URI for your Splunk implementation as Destination Host. Use the /services/collector/event endpoint. Note if you are using Spunk cloud, https://<host>.splunkcloud.com/
.
Here is a sample Splunk HEC configuration:
Destination Host = https://host.domain.com:8088/services/collector/raw
Auth Header Name = Authorization
Auth Header value = Splunk xxxxxx-xxxx-xxxx-xxxx-xxxxxx
Before saving the output, you can configure any of the advanced Output settings.
Tag - Providing a tag name allows you to only send events from sensor with this tag. Tags can be managed at the sensor details view.
Sensor - choosing a sensor ID will only send events or detections from this sensor.
Flatten will flatted the JSON; no changes are needed for the email configuration.
**Wrap JSON event with Event Type **- by default, we do not add prefix in front of every record. Prefix is useful for loading data into relational databases. If you are looking to receive a human-readable email, leave this option unchecked.
Delete on Failure - when set to Yes, the system will completely delete the output configuration in case of failure. This is useful when you are configuring a temporary output needed for a short while and you don't want to have to worry about cleaning up later.
You can choose to only send a specific list of event types by configuring an allow list in the Detection Category section. Alternatively, if you want to exclude certain event types, you can denote it in a deny list (Disallowed Detection Categories).
Do not include routing flag allows users to forward only the original logs to Outputs, excluding the routing label. This can be helpful for users wanting to use LimaCharlie for storage optimization since the routing label can add significant overhead.