Splunk
  • 03 Mar 2023
  • 1 Minute to read
  • Contributors
  • Dark
    Light
  This documentation version is deprecated, please click here for the latest version.

Splunk

  • Dark
    Light

Article summary

To send data from LimaCharlie to Splunk, you will need to configure an Output.

Want to reduce Splunk spend?

Watch the webinar recording to learn about using LimaCharlie to reduce spending on Splunk and other high-cost security data solutions.

To send data from LimaCharlie to Splunk, you will need to configure an Output.

Splunk Setup

Follow Splunk's guide to set up an HEC, and as you do, set the Source type to _json.

LimaCharlie Setup

From the Outputs view, click Add Output.

image.png

Choose the type of stream you want to output from LimaCharlie.

image.png

Set Webhook or Webhook Bulk as a destination.

image.png

Enter the output name.

image.png

Enter the correct HEC URI for your Splunk implementation as Destination Host. Use the /services/collector/event endpoint. Note if you are using Spunk cloud, will be the string from the URL https://<host>.splunkcloud.com/.

image.png

Here is a sample Splunk HEC configuration:

Destination Host = https://host.domain.com:8088/services/collector/raw
Auth Header Name = Authorization
Auth Header value = Splunk xxxxxx-xxxx-xxxx-xxxx-xxxxxx

Before saving the output, you can configure any of the advanced Output settings.

Tag - Providing a tag name allows you to only send events from sensor with this tag. Tags can be managed at the sensor details view.

Sensor - choosing a sensor ID will only send events or detections from this sensor.

Flatten will flatted the JSON; no changes are needed for the email configuration.

**Wrap JSON event with Event Type **- by default, we do not add prefix in front of every record. Prefix is useful for loading data into relational databases. If you are looking to receive a human-readable email, leave this option unchecked.

Delete on Failure - when set to Yes, the system will completely delete the output configuration in case of failure. This is useful when you are configuring a temporary output needed for a short while and you don't want to have to worry about cleaning up later.

You can choose to only send a specific list of event types by configuring an allow list in the Detection Category section. Alternatively, if you want to exclude certain event types, you can denote it in a deny list (Disallowed Detection Categories).

Do not include routing flag allows users to forward only the original logs to Outputs, excluding the routing label. This can be helpful for users wanting to use LimaCharlie for storage optimization since the routing label can add significant overhead.

image.png


Was this article helpful?

What's Next