Splunk¶

Splunk integration enables the inspection of Plixer Scrutinizer flow and event data in the Splunk dashboard via the Scrutinizer for Splunk app.

This allows teams already using Splunk to seamlessly leverage Plixer Scrutinizer’s flow collection and analysis capabilities and quickly jump between the two platforms as needed.

Note

Splunk integration requires Plixer Scrutinizer 19.6.0 or higher. The Scrutinizer for Splunk app expects both the Splunk Enterprise server and Splunk Forwarder client software to be pre-installed in the customer environment.

Configuring Splunk integration in Plixer Scrutinizer

To set up Plixer Scrutinizer for Splunk integration, follow these steps:

  1. SSH to the Plixer Scrutinizer server as the plixer user.

  2. Launch the interactive CLI:

    /home/plixer/scrutinizer/bin/scrut_util

  3. At the SCRUTINIZER> prompt, run the following:

    SCRUTINIZER> enable splunk http://<SPLUNK_SERVER_IP:PORT> <SYSLOG_PORT> <SPLUNK_FORWARDER_IP>

    The default Splunk server port is 8000 (if port 80 is used, no port number is required after the server IP address). The default listening port (SYSLOG_PORT) on the Splunk Forwarder is 1514.

After the command is run, Plixer Scrutinizer will begin sending flow and event data once the next flow analytics collection and detection cycle is complete.

Installing the Scrutinizer for Splunk app

After configuring Plixer Scrutinizer to send data to Splunk, the Scrutinizer for Splunk app can be installed as follows:

  1. Download the Scrutinizer for Splunk app:

    REPO_HOST=files.plixer.com
curl -k -o scrutinizer.spl https://$REPO_HOST/plixer-repo/scrutinizer/19.6.0/util/scrutinizer.spl

    If an offline repo host was used to install or upgrade Plixer Scrutinizer, REPO_HOST can be set to the IP address of that host.

  2. Log into Splunk.

  3. Go to Apps > Manage Apps in the Splunk dashboard.

  4. Click the Install app from file button, and then select the scrutinizer.spl file downloaded in step 1.

  5. After the app is installed, locate the Scrutinizer for Splunk app in the Manage Apps menu and click View Objects.

  6. Select Default, and then replace the default IP address (10.42.100.142) with the address of the Plixer Scrutinizer server to connect to Splunk.

  7. Click the Save button to save the new address.

When done, return to the dashboard and access the Scrutinizer for Splunk app from the Apps menu. Data and graphs should begin to be filled in after a few minutes.

Note

  • If no data appears in the Splunk UI after 5-10 minutes, restart the Splunk service on the Splunk Server by running:

    sudo /opt/splunk/bin/splunk restart

    Data should start to appear on the Scrutinizer Vitals page in the Splunk UI.

  • To upgrade the Scrutinizer for Splunk app instead, tick the Upgrade app checkbox when selecting the scrutinizer.spl in the install dialog.

Visit https://www.plixer.com to learn more or contact Plixer Technical Support for further assistance.

Disabling Splunk integration

To disable Splunk integration in Plixer Scrutinizer:

  1. SSH to the Plixer Scrutinizer server as the plixer user, and then launch the interactive CLI:

  2. At the SCRUTINIZER> prompt, run the following:

    SCRUTINIZER> disable splunk http://<SPLUNK_SERVER_IP:PORT>