Welcome to InsightFinder!

Getting Started with InsightFinder's App for Splunk

Sign up for an account with InsightFinder
- Go to InsightFinder Signup

Register a project in InsightFinder
- Sign in to InsightFinder with your user credentials
- Go to Settings and add a new project (Top icon on the left side of your screen) under the "Insight Agent" tab
- Give your project a name, and select "Private Cloud" for project type
- Go to Account Info (Note: click on your user ID in the top right corner of the screen) and note your license key number.

Installation
- Download the installation file by clicking "Download" on the InsightFinder Splunkbase Page.
- Unpack the contents into
$SPLUNK_HOME/etc/apps/
- After unpacking, you should see the directory in:
$SPLUNK_HOME/etc/apps/insightfinderapp
We’ll refer to this directory as $INSIGHTFINDER_HOME in future instructions.

Initial Setup
- The files insightfindersettings.json and fetchifdatasettings.json must be configured properly to your InsightFinder account before queries can be added.
- Create the folders: $INSIGHTFINDER_HOME/local and $INSIGHTFINDER_HOME/lookups/[ProjectNameInInsightFinder]
- Copy over the files using the commands:
- cp example_configs/insightfindersettings.json.example lookups/INSIGHTFINDER_PROJECTNAME/insightfindersettings.json
- cp example_configs/fetchifdatasettings.json.example lookups/INSIGHTFINDER_PROJECTNAME/fetchifdatasettings.json
- Open insightfindersettings.json and set USERNAME,LICENSEKEY, and app_name (that is project name in InsightFinder) to appropriate values used in your InsightFinder account
- Open fetchifdatasettings.json and change projectName and host to your desired project name.
- Reference the comment block instructions as needed. Make sure to delete the comment block when finished.

Query Set Up Part 1 (via Command Line Interface)
Each search needs its own folder, and a file to specify which fields to monitor and the data to send to InsightFinder. For instance, let's give our search a name: "ResourceMetrics".
- Create the folder $INSIGHTFINDER_HOME/lookups/<projectnameininsightfinder>/ResourceMetrics
- Move a copy of monitored_fields.json into your new search folder with the command
- cp $INSIGHTFINDER_HOME/example_configs/monitored_fields.json.example $INSIGHTFINDER_HOME/lookups/[ProjectNameInInsightFinder]/ResourceMetrics/monitored_fields.json
- Open the file and configure the fields, referencing the comment block instructions as needed. Make sure to delete the comment block when finished.

Query Set Up Part 2 (via Splunk UI)
- Navigate to your InsightFinder page in Splunk.
- Enter your search query in the search bar and hit enter
- The query fetching data from host and index should be pipelined to command "sendtoif" with parameters InsightFinder project name and search name. Eg. host="splunkdemo" index="resource_metrics" | sendtoif -p INSIGHTFINDER_PROJECTNAME -s ResourceMetrics
- Click All Time->30 Minute Window to set window size. An alert may fail to send because of network connectivity issues, or possible outages. With this setting, the next successful alert in the 30 minute window will include the results for any failed attempts.
- To add the search results to the data sent to InsightFinder, click Save As->Alert
- Enter your title and description. Make sure to change permissions to Shared in App.
- Choose the frequency of alerts. To select a 1 minute interval, click Run every week->Run on Cron Schedule. Then enter * * * * * for Cron Expression.

View Data
Create a simple visualization of the InsightFinder results using a Splunk line chart.
- Navigate to your InsightFinder page in Splunk.
- To the right of the page, click Edit -> Edit Panels.
- Click Add Panel->New->Line Chart and enter the name of your metric in Content Title.
- For simple verification purposes, view the data from the past 24 hours. Select All Time-> Last 24 hours.
- For Search String, enter the same query as before with the addition of -p "PROJECT NAME"
- To preview results as a list, click Run. To view the line chart, click Add to Dashboard at the top of the page.