The Code42 App for Splunk connects to a Code42 server for importing and syncing event data between Code42 and Splunk.
You must have an installed and configured Code42 server to complete the Code42 App for Splunk setup process. Splunk guides you through the setup process, but you may also read the Code42 App for Splunk installation article at the Code42 Support site.
The Python scripts embedded in this app have several dependencies that need to be installed for the app to import events successfully.
- Check your Splunk server's system Python path.
- For stability, you should ensure that
python3
is installed on your system—this will be used automatically by the Code42 app for Splunk. The embedded Python included with Splunk does not support all the requirements of this app. - We search for
python3
in your$PATH
variable, followed by several common locations to find the full path to Python 3 (including Windows Python). If you have a non-standard installation (such aspython3.4
orpython-3
), you can create a new file at./local/python.path
with the correct path. You can run the following command to write a path file.which python3.4 > /path/to/splunk/etc/apps/code42/local/python.path
- For stability, you should ensure that
- Install Python dependencies using pip (see below).
$ sudo python3 -m pip install requests
$ sudo python3 -m pip install python-dateutil
These dependencies are required regardless of your Python version. You can opt
to install them using easy_install
.
First, you'll need to export a Splunk Package by cloning the repo and exporting the contents.
$ git clone https://github.com/code42/Splunk.git Code42-Splunk
$ cd Code42-Splunk
$ git archive \
--format=tar.gz \
--prefix=code42/ \
--output=code42.tar.gz \
HEAD
$ mv code42.tar.gz code42.spl
After exporting the Splunk Package .spl
, you can install the package using
Splunk's built-in Apps page.
- Select "Manage Apps" from the Apps dropdown.
- Select the "Install app from file" button.
- Select the generated
code42.spl
package. - Splunk will walk you through all required setup.
You can install the git repository directly into your Splunk app contents and keep the scripts updated.
$ export SPLUNK_HOME="/path/to/Splunk"
$ cd $SPLUNK_HOME/etc/apps
$ git clone https://github.com/code42/Splunk.git code42
Restart Splunk after cloning the repository, then open the Setup page from the Manage Apps page to configure your Code42 server info. From the Manage Apps page you can also enable and disable the Code42 app for Splunk.
After the installation, you can test the Splunk scripts by running them using the embedded Splunk python enviornment.
$ export SPLUNK_HOME="/path/to/Splunk"
$ $SPLUNK_HOME/bin/splunk login # Enter username & password
$ $SPLUNK_HOME/bin/splunk cmd \
python $SPLUNK_HOME/etc/apps/code42/bin/splunk-test.py <<< \
$(xmllint --xpath "//auth/sessionkey/text()" "$(find ~/.splunk -type f)")
The script should run successfully.
Data is automatically imported to a custom code42
index once the app is
enabled. The different structured data formats described below are automatically
imported to the Code42 index using cron scripts and file monitors.
The Code42 app for Splunk does contain some pre-built dashboards, but you can also write your own queries using Splunk's Search & Reporting app. You can see example queries in the EXAMPLES.md file.
Contributions are welcome for new and updated data types imported to Splunk
using the Code42 App for Splunk. Each event should be saved to the code42
index, and should have it's own sourcetype
namespace.