Administrators can restrict access to the app by putting it in Preview-only
mode. In preview-only mode, non-administrative users can add or remove Splunk instances in this app, but they can't
modify the actual Splunk instance. In
particular, non-administrative users can preview changes and send them to an administrator to
manually modify the Splunk configuration
files.
Before you begin
The port that you use to configure the Splunk Server must be open so that the app
can use the Splunk APIs to communicate
with the Splunk Server.
About this task
Administrators can enable Automatic Sync and set the time interval for the
application to keep the sources data within the application in sync with the sources available on
configured Splunk instances.
Procedure
-
On the Admin tab, go to the QRadar® App for Splunk Data
Forwarding area of the
Plug-ins section and click Configuration.
-
Add an authentication token (if not already set) to connect to QRadar. See Creating an authentication token.
- Optional:
Put the app in preview mode.
- Optional:
Enable the Automatic Sync check box, and then set
the time in minutes for the interval between automatic sync operations. The default interval is 60
minutes.
Tip: Set a value in accordance with the number of Splunk instances configured in the
application. Frequent synchronization with many Splunk instances that are configured might
result in application performance deterioration.
-
Click Set to save the changes and close the window.
-
When the configuration is complete, refresh the browser window before you use the app.
Results
The Forwarding from Splunk tab is added to the toolbar.