Splunk
The Splunk connector integrates with the Splunk platform to fetch and synchronize data by executing a configured SPL search. It creates a search job using the Splunk REST API, waits for the job to complete, and retrieves paginated search results. You can bring search result data from Splunk into Brinqa to gain a unified view of your attack surface, thus strengthening your cybersecurity posture.
This document details the information you must provide for the connector to authenticate with Splunk and how to obtain that information from Splunk. See create a data integration for step-by-step instructions on setting up the integration.
Required connection settings
When setting up a data integration, select Splunk from the Connector dropdown. If you cannot find the connector in the dropdown, make sure that you have installed it first. You must provide the following information to authenticate Splunk with Brinqa:
- url: The Splunk server URL.
- username: The Splunk account username.
- password: The Splunk account password.
Additional settings
The Splunk connector contains additional options for specific configuration:
- Page size: The maximum number of records to get per API request. The default setting is 100. It is not recommended to go over 100.
- Parallel requests: The maximum number of parallel API requests. The default setting is 4.
- Skip certificate verification: When enabled, skips SSL/TLS certificate verification. The default setting is disabled.
Types of data to retrieve
The Splunk connector can retrieve the following types of data from the Splunk API:
Table 1: Data retrieved from Splunk
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| Result | Yes | None |
The Splunk connector does not currently support operation options for the types of data it retrieves.
For detailed steps on how to view the data retrieved from Splunk in the Brinqa Platform, see How to view your data.
Attribute mappings
Expand the sections below to view the mappings between the source and the Brinqa data model attributes.
Result
Attributes for this model are derived dynamically from the Splunk search results. All fields returned by the Splunk search are added as attributes. Collection values are multi-valued; others are single-valued.
Table 2: Result attribute mappings
| Source Field Name | SDM Attribute |
|---|---|
SearchResponse.results[*] | (DYNAMIC ATTRIBUTES) |
| Generated (MD5 hash of all result values) | UID |
APIs
The Splunk connector uses the Splunk REST API. Specifically, it uses the following endpoints:
Table 3: Splunk API Endpoints
| Connector Object | API Endpoint |
|---|---|
| Result | POST /services/search/jobs |
GET /services/search/jobs/{sid} | |
GET /services/search/jobs/{sid}/results |
Changelog
The Splunk connector has undergone the following changes:
This connector is part of a bundled release with other connectors from the same vendor. If a version shows "No change", it means that the connector version was updated for consistency as part of the bundle, but no functional changes were made to this specific connector. You can update to or skip this version without affecting your existing configuration.
Table 4: Splunk Changelog
| Version | Description | Date Published |
|---|---|---|
| 3.0.0 | Initial Integration+ release. | TBD |