Splunk Integration User Guide
This document describes the integration of ITM On-Prem with Splunk software.
For new Splunk version 2.3.3, HTTPS and SSL verification is mandatory and require a CA certificate [chain].
After upgrading the TA, you must provide the path to CA certificate chain file , relative to $SPLUNK_HOME. Default CA certificates will be used if no file name is provided. (See Configuring ObserveIT TA for Splunk.)
Currently documentation is being rebranded from ObserveIT to ITM On-Prem. Anything referred to as ITM On-Prem means ObserveIT and anything referred to as ObserveIT is ITM On-Prem.
For a PDF version, Splunk Integration User Guide - PDF.
Features
ITM On-Prem includes the following to collect and manage the data:
-
ObserveIT Technology Add-on (ObserveIT TA): Connects Splunk to the ObserveIT RESTful API to continuously pull the latest user activity and alert events. ObserveIT TA pulls data from ObserveIT into Splunk as follows:
-
Subscribes to User Activity and/or Alert events
-
Polls events from multiple ObserveIT instances
-
-
ObserveIT App for Splunk: Leverages the data collected by ObserveIT TA to provide full-featured User Activity and Alert dashboards. Direct session-playback links for each session from Splunk to the ObserveIT console bring instant deep analysis of user behavior to Splunk and includes:
-
Detailed summary of user sessions and alerts -drill down into individual user activities
-
Charts to highlight risky users and applications
-
Direct link to Session Player from all user activities and alerts
-
Prerequisites
-
Download and install ObserveIT TA and ObserveIT App for Splunk from Splunkbase
-
ObserveIT TA communicates with your ObserveIT API directly, typically on port 443
-
ObserveIT (Minimum version: 7.12)
-
Splunk Enterprise: Platform Version: 9.1, 9.0, 8.2, 8.1, 8.0
For more information, see:
Splunk Deployment Architecture
Splunk Troubleshooting and Support