icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

We are working on something new...

A Fresh New Splunkbase
We are designing a New Splunkbase to improve search and discoverability of apps. Check out our new and improved features like Categories and Collections. New Splunkbase is currently in preview mode, as it is under active development. We welcome you to navigate New Splunkbase and give us feedback.
Splunkbase will be undergoing a scheduled migration and will be unavailable on Saturday, Oct 1, 2022, from 11AM to 3PM PDT

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Code42 for Splunk (Legacy)
SHA256 checksum (code42-for-splunk-legacy_3012.tgz) 821d8118d80199796d74d3a2b000d1e439150faaccdc8caa11ddee42a5546f53 SHA256 checksum (code42-for-splunk-legacy_3011.tgz) e80fd18d86c847bb7e2e45953c3dd7de057c3b13c916ca0318ea758a58500c33 SHA256 checksum (code42-for-splunk-legacy_3010.tgz) e9ea208a3901e3cfa98e7e298a7abe6e1c772d43acd0b8b272604ce72f18803c SHA256 checksum (code42-for-splunk-legacy_309.tgz) ff9fddceb70259208540866b95cdffcba25d02122ab6aa98628138fd260836ea SHA256 checksum (code42-for-splunk-legacy_308.tgz) d8abeba245f8ac71cdbb594ccf4be6b43fb3d0a87f69d5081e6e6fb8f1982971 SHA256 checksum (code42-for-splunk-legacy_307.tgz) cd14083ee633f595b06186f1c00c44371c1db1b1e1755d9bfb96056647ceb864
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate


Code42 for Splunk (Legacy)

This app has been archived. Learn more about app archiving.
Code42 For Splunk integrates Splunk and Code42 to provide robust correlation of endpoint and backup data.

Welcome to Code42 for Splunk Apps documentation!


About Code42 App For Splunk

Author Aplura, LLC. Code42, Inc.
App Version 3.0.12
App Build 250
Vendor Products Code42 Appliance
Has index-time operations false
Creates an index false
Implements summarization Currently, the app does not generate summaries

About Code42 App For Splunk

Code42 App For Splunk allows a Splunk Enterprise administrator to extract information and knowledge from Code42.

Scripts and binaries

This App provides the following scripts:

Release notes

Version 3.0.11

  • Improvement

    • [C42-87] Fix for data ingestion delay

Version 3.0.10

  • Improvements

    • Changes to C42 SDK to better enhance stability and data consumption

Version 3.0.9

  • Improvement

    • [C42-84] - Use is_cloud from Utilities

Version 3.0.8

  • Bug

    • [C42-83] - Bug in Batch Processor - Cursor not retrieved correctly

About this release

Version 3.0.12 of Code42 App For Splunk is compatible with:

Splunk Enterprise versions 6.6, 7.0, 7.1, 7.2
Platforms Splunk Enterprise
Vendor Platform Code42 Enterprise / Small Business


Known Issues

Version 3.0.12 of Code42 App For Splunk has the following known issues:

  • None

Support and resources

Questions and answers

Access questions and answers specific to Code42 App For Splunk at https://answers.splunk.com . Be sure to tag your question with the App.


Support is available via email at enterprise-support@code42.com. Responses vary on working days between working hours.

Installation and Configuration

Software requirements

Splunk Enterprise system requirements

Because this App runs on Splunk Enterprise, all of the Splunk Enterprise system requirements apply.


Download Code42 App For Splunk at https://splunkbase.splunk.com/app/3736/.

Installation steps

NOTE: Where referenced, TA-Code42ForSplunk and IA-Code42ForSplunk are located on Splunkbase.

Deploy to single server instance

Follow these steps to install the app in a single server instance of Splunk Enterprise:

  1. Download the Code42 App For Splunk package from https://splunkbase.splunk.com/app/3736/
  2. Install the App via the recommended installation methods (CLI, Web GUI)
  3. Restart Splunk.
  4. Download IA-Code42ForSplunk from https://splunkbase.splunk.com
  5. Install IA via the recommended installation methods (CLI, Web GUI)
  6. Navigate to IA-Code42ForSplunk/App_Config to setup modular input settings.

Deploy to Splunk Cloud

  1. Have your Splunk Cloud Support handle this installation.

Deploy to distributed deployment

Install to search head

  1. Download the Code42 App For Splunk package from https://splunkbase.splunk.com/app/3736/
  2. Install the App via the recommended installation methods (CLI, Web GUI, Deployment Server)

Install to indexers

  1. Download the TA-Code42ForSplunk package from https://splunkbase.splunk.com.
  2. Install TA-Code42ForSplunk onto the indexers per your environment.

Install to universal forwarders

  1. There is no installation to Universal Forwarders.

Install to Heavy Forwarders

  1. Download the IA-Code42ForSplunk package from https://splunkbase.splunk.com.
  2. Install IA-Code42ForSplunk onto a heavy forwarder in your environment.
  3. Configure the Modular Input with the required settings.

Deploy to distributed deployment with Search Head Clustering

  1. Place the App into the deploy_apps folder on the Deployer Server.
  2. Follow the instructions to install to a Heavy Forwarder. This Step is REQUIRED in a clustered SH environment!
  3. Deploy the App to the Search Head Cluster. DO NOT install IA-Code42ForSplunk to the Cluster!

User Guide

Configure Code42 App For Splunk

  • Install the App according to your environment (see steps above)
  • Navigate to App > IA-Code42ForSplunk > Administration > Application Configuration

Application Configuration Dashboard

To configure the Code42 application you should start on the Application Configuration page (Administration > Application Configuration)*[]:

Application Configuration

On this screen you can set the base index as well as a flag that specifies that the application is configured. In the future there will be additional configurations available.

Proxy Configuration

If you have configured a proxy server you can view the configuration under this tab. These are proxy server configurations that are being used by existing modular inputs for the Code42 application. You can also delete existing proxy configurations on this tab.

Encrypted Credentials

You can view/delete existing credentials on this tab. These are credentials that are being used by existing modular inputs in the Code42 application. These credentials are the credentials used to connect to Code42 appliances.


On this screen you can view and make any changes to existing modular inputs. As you make changes and tab between fields the modular input is modified.

Creating New Proxy Configurations

If you need to use a proxy as part of the connection to the Code42 appliance configure it here.

  • To create a new proxy server configuration, click the Create New Proxy button and fill in the following fields:

    • Proxy Name: Name for the proxy configuration. This name will be used as the proxy name in the modular input configuration.
    • Host: Proxy host name or IP.
    • Port: Port used to connect to the proxy server.
    • Username: Username used to connect to the proxy server.
    • Password: Password for the username specified above.
    • Use SSL: Should SSL be used for the proxy configuration?

Creating New Credentials

By default creating a new modular input with a username and password specified will create the necessary encrypted credentials. However if you want to create encrypted credentials manually follow this process:

  • To create a new encrypted credential, click the Create New Credential button and fill in with the appropriate username and password.
  • The realm is the application name where the encrypted credential is created + the username.

NOTE: By default creating a new modular input will automatically create a new encrypted credential so this process is not necessary unless you need a new credential for another purpose.

Creating New Code42 Inputs

NOTE: You will need to configure a new modular input for each appliance

  • To create a new data input, click the Create New Modular Input button and fill in the following fields. Those with a red asterisk on the screen are required.
    • Modular Input Name: Name for the data input configuration.
    • Hostname and port: The hostname or IP address and port of the Code42 appliance. By default you can specify hostname:443.
    • Username: The username used to connect to the appliance. This user should have a of role of Security Center User, Customer Cloud Admin, or Server Admin.
    • Password: The password for the previously specified username.
    • Toggle all data keys: Check to select all data keys.
    • Data keys: List of endpoints available on the Code42 appliance. Check the data key if you wish to pull event data.
    • Historical Lookback: This is the number of days to lookback for Security Events. Default is 60.
    • Interval: The number of seconds indicate how often the input will poll for new data. This setting must be at least 60.
    • Index: This sets the index for data to be written to. This setting should be changed from default, which normally writes to the main index, to a specified index for best performance.
    • Use Proxy: Indicates if a proxy should be use for communication with the Code42 appliance.
    • Proxy Name: Enter the name of the proxy stanza to use with the input.
  • After creating the modular input you may need to disable/re-enable the input in Settings > Data Inputs > Code42 App For Splunk to activate the input.

NOTE: When configuring the modular input through the Application Configuration dashboard, the password is automatically encrypted into the credential store. If you need to change the credential, create a new credential, and reference the host/user pair in the modular input configuration. An encrypted credential is required for this Splunk App.


By default all events will be written to the main index. You should change the index in the configuration files to match your specific index.

Troubleshoot Code42 App For Splunk

  1. Check the Monitoring Console (>=v6.5) for errors
  2. Visit the Application Health dashboard

Full Data Reset

If you experiencing issues, and would like to reset the Code42 Data to factory install, there are few steps to take.

  1. Disable the input.
  2. Clear the indexed data. This is covered in the Splunk documentation
  3. Clear the KVStore that is tracking the cursors using the search |`code42_zero_cursors`
  4. Enable the input.


Code42 App For Splunk contains three automatically generated lookups.

The following lookup files are generated automatically from saved searches every hour.

  • code42_users.csv
  • code42_computers.csv
  • code42_alertlog.csv

Event Generator

Code42 App For Splunk does make use of an event generator. This allows the product to display data, when there are no inputs configured.

The stanzas are:

  • code42_org.eventgen
  • code42_security.eventgen
  • code42_computer.eventgen
  • code42_restore.eventgen
  • code42_user.eventgen
  • code42_alertlog.eventgen


  1. Summary Indexing: No
  2. Data Model Acceleration: No
  3. Report Acceleration: No

Release Notes

Version 3.0.12
Feb. 18, 2020

Updated a timeout setting.

Version 3.0.11
Jan. 22, 2020
  • Improvement

    • [C42-87] Fix for data ingestion delay
Version 3.0.10
Oct. 15, 2019

Enhanced Stability for Code 42 inputs.

Version 3.0.9
May 20, 2019
  1. Added is_cloud check
Version 3.0.8
April 4, 2019

Bug Fix in the data collection processor.

Version 3.0.7
March 7, 2019

New stability improvements.

Subscribe Share

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
Splunk, Splunk>,Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk Inc. in the United States and other countries. All other brand names,product names,or trademarks belong to their respective owners.