Splunk is an aggregator, search engine and dashboarding solution for log data. This integration utilizes the real-time search function of the Splunk API, continuously receives data via that socket, and pushes the data towards the Unomaly analysis engine. This integration allows for plug-and-play real-time machine learning and anomaly detection by Unomaly on data sent to Splunk.


Instructions

Download the Unomaly Splunk transport

Install the transport

  1. Use SFTP to copy the package to the Unomaly server.

  2. Use SSH to connect to the Unomaly server.

  3. Find the uploaded file and install it by running the following command and following the presented instructions:

    sudo sh unomaly-[transportname]-[version].run
    

Configure the transport

The configuration file is located in /DATA/unomaly_transports/splunktransport.cfg-default. Copy it to /DATA/unomaly_transports/splunktransport.cfg:

cp /DATA/unomaly_transports/[transportname].cfg-default /DATA/unomaly_transports/[transportname].cfg

Open it and it contains the following parameters to customize:

[transport]
exporturl=https://[Splunk IP]:8089/servicesNS/admin/search/search/jobs/export
query=search index=main
username=admin
password=changeme

These options will need to be customized to suit your Splunk environment. Take note of the query option which may need to be altered if Splunk is configured to use multiple indices.

Also note that the user specified here needs to be reflected in the URL. It also needs to have the privilege ‘rtsearch’ to be able to perform these kind of queries. This privilege is included in the default groups “power”, which we recommend if you are specifying a separate user for this activity.

Please refer to the Splunk documentation on searching or contact Unomaly for help.

Verifying data

To verify that data is being extracted correctly from Splunk, you can start the transport in debug mode, which will output all data to the terminal:

/opt/unomaly/bin/unomaly-transportd --debug --transport splunktransport

The command should produce output similar to the following:

$ /opt/unomaly/bin/unomaly-transportd --debug --transport splunktransport
--debug --transport splunktransport
 INFO: __init__ --- Loading transports from path /DATA/unomaly_transports (transportd.py:27)
 INFO: __init__ --- Initializing SplunkTransport... (transportbase.py:33)
 INFO: run --- Running with pid=16771... (transportd.py:55)
 INFO: _new_conn --- Starting new HTTPS connection (1): 10.8.0.182 (connectionpool.py:635)
DEBUG: _make_request --- "POST /servicesNS/admin/search/search/jobs/export HTTP/1.1" 200 None (connectionpool.py:344)
[application data]
^CExiting
 INFO: __del__ --- Stopping SplunkTransport... (transportbase.py:50)

To stop the service, press control-c. If everything is running, you will see your Splunk data being output after the initialization procedure. If issues with authentication or URL endponts arise, they will be displayed in the following fashion:

DEBUG: _make_request --- "POST /servicesNS/admin/search/search/jobs/export HTTP/1.1" 401 53 (connectionpool.py:344)
ERROR: run --- Invalid response from server: {"messages":[{"type":"ERROR","text":"Unauthorized"}]} (splunktransport.py:59)
ERROR: run --- Transport SplunkTransport with pid=5716 terminated! Exitcode=0 (transportd.py:54)

The above error indicates wrong user/password combination. If the text-entry in the log says “You do not have permission to spawn real-time searches”, this indicates that the configured user does not have the ‘rtsearch’-privilege.

Restart transportd again to use the transport using the following command.

sudo service unomaly-transportd restart

As a last step, verify in the Unomaly GUI that logs are being received properly.