IBM Guardium Insights for Splunk app version 3.3.1
integrates Guardium Insights capabilities with Splunk to
simplify the processes of investigating, prioritizing, and mitigating risk events in Splunk. The
Guardium Insights for Splunk app gathers database user
activity and search history by using the Guardium Insights
API.
About this task
Note: Splunk version 3.3.1 supports Guardium Insights version 3.3 and up. It is not compatible with
older versions of Guardium Insights.
Follow the
directions to install the Guardium Insights for Splunk app
from Splunk. After installation, you can configure the Splunk app.
Procedure
- Installing the Splunk app
- In Splunk, navigate to .
- Search for and install the IBM Security Guardium Insights for Splunk
app.
The app configuration page opens automatically after installation. Otherwise, navigate to
, filter for
the
IBM Security Guardium Insights for Splunk app, and click
Set
up.
- Configuring the Guardium Insights for Splunk
app
- Connect Securely
- When selected, the Splunk app attempts to verify an SSL connection with the Guardium Insights host. It uses the current CA certificate from the
Splunk server and confirms that the Insights host has a valid certificate. Enable Connect
Securely when using third party signed certificates; do not use this option with
self-signed certificates.
- Guardium Insights Host
- The hostname of the Guardium Insights system that will
provide data for the Splunk app.
- API Key | API Key Secret
- For more information about Guardium Insights API Keys
or API Key Secrets, see Creating API keys.
- Pull Risk Events | Index name
- Enables pulling of Guardium Insights risk data. You can then choose which Splunk index will
store pulled data. By default, it will create one named gi_risks, but you may
create and name your own index as well.
- Data Pulling Interval (minutes)
- How frequently to update data from the Guardium Insights
system.
- Data Retention Time (days)
- How long to retain data from the Guardium Insights system.
If Data Retention Time (days) is set to 0, data is
retained indefinitely.
- Past Event Days
- Import Guardium Insights data from the past, which is
defined in days. After importing past data, data is updated based on the Data Pulling
Interval. If Past Event Days is set to 0,
no data past data is imported, and data is updated based on the Data Pulling
Interval.
- Click Submit to save the configuration.
What to do next
After installation of the Splunk app, you can use it as described in Splunk app views.