Splunk Integration User Guide
This document describes the integration of ITM On-Prem with Splunk software.
Currently documentation is being rebranded from ObserveIT to ITM On-Prem. Anything referred to as ITM On-Prem means ObserveIT and anything referred to as ObserveIT is ITM On-Prem.
Features
ITM On-Prem includes the following to collect and manage the data:
-
ObserveIT Technology Add-on (ObserveIT TA): Connects Splunk to the ObserveIT RESTful API to continuously pull the latest user activity and alert events. ObserveIT TA pulls data from ObserveIT into Splunk as follows:
-
Subscribes to User Activity and/or Alert events
-
Polls events from multiple ObserveIT instances
-
-
ObserveIT App for Splunk: Leverages the data collected by ObserveIT TA to provide full-featured User Activity and Alert dashboards. Direct session-playback links for each session from Splunk to the ObserveIT console bring instant deep analysis of user behavior to Splunk and includes:
-
Detailed summary of user sessions and alerts -drill down into individual user activities
-
Charts to highlight risky users and applications
-
Direct link to Session Player from all user activities and alerts
-
Prerequisites
-
Download and install ObserveIT TA and ObserveIT App for Splunk from Splunkbase
-
ObserveIT TA communicates with your ObserveIT API directly, typically on port 443
-
ObserveIT (Minimum version: 7.12)
-
Splunk Enterprise: Platform Version: 9.1, 9.0, 8.2, 8.1, 8.0
For more information, see:
Splunk Deployment Architecture
Splunk Troubleshooting and Support