Adding Splunk instances to the app

Add Splunk instances to the app so that you can forward data sources to QRadar® for monitoring and analysis.

Procedure

  1. To add a single Splunk instance, complete the following steps:
    1. Go to the Forwarding from Splunk tab, and then click Splunk Instances > Add Single Splunk Instance.
    2. Enter the IP or hostname, port number for the Splunk instance, and the user credentials of the Splunk instance.
    3. Set Certificate validation to False.
    4. Click Add > Close.
  2. To add multiple Splunk instances, complete the following steps:
    1. Go to the Forwarding from Splunk tab, and then click Splunk Instances > Add Multiple Splunk Instances.
    2. Download a sample CSV file, add the IP/Host names, port number for the Splunk instance, and replace the sample user credentials for each Splunk instance. If you use a Splunk Deployment Server, you can connect to it and generate a CSV file that lists all of the Splunk servers that exist in the Splunk deployment. Add the usernames and passwords for each server that is listed in the file, and then upload the file to the app.
      Notes:
      • The CSV files contain these fields: Host name (DNS), IP address, port number, username, and password. You can choose how to import the file by either hostname or IP address. The system default imports by hostname. For every row, only the hostname or the IP address is required. You can specify only the hostname for some rows and only the IP address for other rows. If you choose to import by hostname but only the IP address is available, it is imported by IP address. If you choose to import by IP address but only the hostname is available, it is imported by hostname.
      • If you choose to overwrite the existing instances, the username and password are updated if they are different from the previously uploaded file.

What to do next

t_Qapps_Splunk_forward_data.html#task_dvq_xrj_rbb