Splunk Installation Instructions

How to Integrate Splunk with BigPanda

Create an App Key

First create an App Key. You'll need a separate App Key for each integrated system

Select an Install Method

The BigPanda Splunk Add-On can be installed in 3 ways:

From the Splunk Console

1. From the Splunk console click the Splunk logo in the top left to open the app launcher

2. Click Find more Apps

3. Enter BigPanda into the search box to find the BigPanda Add-On

4. Click Install and login with your Splunk.com credentials

From within Splunkbase

1. Download the BigPanda for Splunk add-on from Splunkbase. (If you are using a distributed Splunk search environment with multiple instances please install the app on your search head instance)

2. Log into Splunk Enterprise

3. On the Apps menu, click Manage Apps

4. Click Install app from file

5. In the Upload app window, click Choose File

6. Locate the .tar.gz file you just downloaded, and then click Open or Choose

7. Click Upload

8. Click Restart Splunk, and then confirm that you want to restart

Using the CLI

1. Download the BigPanda for Splunk add-on from Splunkbase. (If you are using a distributed Splunk search environment with multiple instances please install the app on your search head instance)

2. Put the downloaded file in the $SPLUNK_HOME/etc/apps directory.

3. Untar and ungzip your app or add-on, using a tool like tar -xvf (on *nix) or WinZip (on Windows).

4. Restart Splunk.

Configure Global Settings for the BigPanda Add-On

Global Settings can be configured through the Splunk App configuration pages, or through the CLI

In the Splunk App

1. From the Splunk app launcher select BigPanda

2. Open the Configuration > Global Settings window

3. Fill in your BigPanda App Key and API Token from the values found in the integration configuration page.

4. Click Save to apply the changes.

Using the CLI

1. Navigate to the $SPLUNK_HOME/etc/apps directory

2. Ensure there is no $SPLUNK_HOME/etc/apps/TA-bigpanda/local/passwords.conf file

3. Create $SPLUNK_HOME/etc/apps/TA-bigpanda/local/ta_bigpanda_settings.conf with the following:
$SPLUNK_HOME/etc/apps/TA-bigpanda/local/ta_bigpanda_settings.conf

[additional_parameters]
api_url = https://inbound.bigpanda.io/splunk/alerts
app_key = app_key_here_in_plain_text
token = bearer_token_here_in_plain_text

Configure Proxy Settings for the BigPanda Add-On (Optional)

If using a proxy, the settings must be configured in app, or through CLI

In the Splunk App

1. From the BigPanda Add-On navigate to Configuration > Proxy

2. Check the box next to Enable

3. Select the Proxy Type you would like to use. The BigPanda Add-On supports HTTP, SOCKS4 and SOCKS5

4. Fill in your proxy settings. Username and password are optional

5. Click Save to apply the changes

Using the CLI

You can also set the proxy through the CLI.

1. Navigate to the $SPLUNK_HOME/etc/apps directory

2. Create ta_bigpanda_settings.conf at $SPLUNK_HOME/etc/apps/TA-bigpanda/local/ta_bigpanda_settings.conf
* If ta_bigpanda_settings.conf already exists then instead add the following stanza:

[proxy] 
proxy_password = XXXXXXXXXXXXXX 
proxy_port = PORT_NUMBER_HERE 
proxy_rdns = 1 | 0 (1 = enabled, 0 = disabled)
proxy_type = http | socks4 | socks5 
proxy_url = URL_HERE 
proxy_username = USERNAME_HERE 
proxy_enabled = 1 | 0 (1 = enabled, 0 = disabled)

Configure Alternate Permissions (Optional)

When configuring Splunk to send alerts to BigPanda, all search owners need to have the list_storage_passwords capability in Splunk. You may not want to grant this capability to all users due to security restrictions.

To avoid requiring this permission, you can provide BigPanda app credentials to Splunk via environment variables instead of the configuration page. These environment variables can be set by the system administrator or configured in /etc/splunk-launch.conf.

1. Navigate to the $SPLUNK_HOME/etc/apps directory

2. In the /etc/splunk-launch.conf file, add the environment variables:
BIGPANDA_USE_ENV_PASSWORDS=true
BIGPANDA_BEARER_TOKEN={Your BigPanda Bearer Token}
BIGPANDA_PROXY_PASSWORD={Proxy Password if Used}

These variables will provide credentials via system settings and remove the need for search owners to have the list_storage_passwords capability.

Distributed Search Environments

When installing the BigPanda app in a Splunk distributed-search environment, Splunk does not automatically propagate the app to all nodes in the cluster, and the app must be installed on each node in the cluster either manually or through the deployment server.

Search head clusters

To deploy apps to a search head cluster, you must use the deployer. The deployer is a Splunk Enterprise instance that distributes apps and configuration updates to search head cluster members. The deployer cannot be a search head cluster member and must exist outside the search head cluster. See Use the deployer to distribute apps and configuration updates in the Distributed Search manual to learn more about the role of a deployer instance.

🚧

You cannot push an application with predefined credentials to a clustered search head in Splunk. To get around this, you have 2 options:

  • Push application from deployer to search head cluster without credentials – then manually enter the credentials afterwards via the UI
  • Push application from deployer to search head cluster with credentials in plain text (not encrypted)

When pushing the credentials from deployer to the search head cluster, they are sent in plain text, and then splunk will automatically encrypt the values when the search heads reload with the new app/changes

Send Splunk Alerts to BigPanda

1. Navigate to the BigPanda Add-On to determine which alerts to send BigPanda.

Alerts can be configured using BigPanda search commands, or using the Action Manager. To learn more about configuring Splunk Alerts, see the Splunk documentation.


Recommended Reading