Use this guide to configure your Splunk integration
What Data Is Sent?
vRx sends any event under Logs -> Event Log to Splunk. For further information, refer to vRx Event Log KB.
Prepare Splunk Cloud:
Before heading to your vRx Dashboard, prepare the following in Splunk Cloud:
1. Go to "Settings" --> "Add data"
3. Select "HTTP Event Collector", name it (other parameters are optional), then click Next
4. Choose Input type and click "Review" (set to "Automatic" for this example) and Submit
5. Copy your Token Value click "Start Searching"
Splunk will redirect you to the search page where the query should be:
source="http:TopiaEventCollector"
6. Head over to vRx --> "Settings" --> "Integrations" tab --> SIEM --> find Splunk and click "Create Integration"
7. Paste your Splunk Token (step 5) in the "API Key" field, and fill in the URL as follows:
Note: Replace the blacked-out part with your Splunk tenant's address
8. Click "Send Test Event"
Tip: If everything went correctly - You should see a "Connected" indicator as can be seen in the above screenshot
9. On your Splunk tenant, make sure that the query is same as shown in step 5, then click search to see the test event from vRx
Tip: If you are unsure of how to acquire and configure Splunk's parameters, please contact your Splunk support.
Additional information regarding setting up Splunk's HTTP collector can be found here:
https://docs.splunk.com/Documentation/Splunk/8.1.3/Data/UsetheHTTPEventCollector