Configuring QRadar App for Splunk Data Forwarding

Administrators can restrict access to the app by putting it in Preview-only mode. In preview-only mode, non-administrative users can add or remove Splunk instances in this app, but they can't modify the actual Splunk instance. In particular, non-administrative users can preview changes and send them to an administrator to manually modify the Splunk configuration files.

Before you begin

The port that you use to configure the Splunk Server must be open so that the app can use the Splunk APIs to communicate with the Splunk Server.

About this task

Administrators can enable Automatic Sync and set the time interval for the application to keep the sources data within the application in sync with the sources available on configured Splunk instances.


  1. On the Admin tab, go to the QRadar® App for Splunk Data Forwarding area of the Plug-ins section and click Configuration.
  2. Add an authentication token (if not already set) to connect to QRadar. See Creating an authentication token.
  3. Optional: Put the app in preview mode.
  4. Optional: Enable the Automatic Sync check box, and then set the time in minutes for the interval between automatic sync operations. The default interval is 60 minutes.
    Tip: Set a value in accordance with the number of Splunk instances configured in the application. Frequent synchronization with many Splunk instances that are configured might result in application performance deterioration.
  5. Click Set to save the changes and close the window.
  6. When the configuration is complete, refresh the browser window before you use the app.


The Forwarding from Splunk tab is added to the toolbar.

What to do next

Adding Splunk instances to the app