icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Observeit Add-on for Splunk
SHA256 checksum (observeit-add-on-for-splunk_123.tgz) a19ad1509d058cefa923ecffba82e15cf2a3e5e94331f2304d1cf5ebea94f096 SHA256 checksum (observeit-add-on-for-splunk_122.tgz) 94401d6766036a73b27aea47d1628669ee6b4a9993d4ff0b1ab10d269c615577 SHA256 checksum (observeit-add-on-for-splunk_120.tgz) 5f59b3e68c541d3c30cf4750dd51b21f23592cdd53f2e445978b02d0a3320abc SHA256 checksum (observeit-add-on-for-splunk_101.tgz) 1c235be70c7f687584a9a19bcb5167ea376d6c660eaf4bebbfac587c19648c05 SHA256 checksum (observeit-add-on-for-splunk_100.tgz) 44fc6815969e224ab50beb7cada352da7966a146e6ed6261ef591bda80760614
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

Observeit Add-on for Splunk

Splunk AppInspect Passed
Admins: Please read about Splunk Enterprise 8.0 and the Python 2.7 end-of-life changes and impact on apps and upgradeshere.
The ObserveIT Technology Add-on for Splunk provides security analysts and investigation teams with powerful user activity meta-data and smart user behavior alerts. By correlating this powerful user context with the other data sources in Splunk, a complete picture a user's activities will emerge, allowing for creation of smarter alerts and quicker threat elimination.

Data collected by ObserveIT TA can be searched using the Search App or ObserveIT App for Splunk


Refer to the User Guide or follow instructions below.


  • Hardware Requirements:
    Refer to System Requirements document

  • Software Requirements:

    • ObserveIT version 7.5.1 and up
    • Splunk Enterprise v6.5+ or Splunk Cloud


Add-on installation on SHC is not supported


  • Installing on stand-alone Splunk instance
    Refer to Splunk Documentation for instructions

  • Installing TA-ObserveIT in a distributed Splunk Enterprise deployment
    Install the TA on a non-clustered search head or a heavy forwarder.


  • Open TA-ObserveIT app
  • Optional: If proxy is required for connecting to ObserveIT API - navigate to
    Configuration -> Proxy tab and configure proxy before defining inputs.
  • Navigate to "Inputs" tab and click "Create New Input"
  • Fill in the fields
    Interval            API polling interval in seconds
    Index               Destination index. Either select index name from a 
                        drop-down list or type index name. Make sure the index 
                        exists at your deployment's indexing tier before saving
                        input configuration.
    Reports API URL     ObserveIT API URL.Non-secure connections are not 
                        e.g.: https://_MACHINE_NAME_/v2/apis/report;realm=observeit/reports
    API Token           ObserveIT API token. To obtain the token: 
                        1. Navigate to https://_MACHINE_NAME_/v2/apps/portal/home.html
                        2. Press on 'Credentials' tab
                        3. Press on 'Create App' button
                        4. Press on the create application name
                        5. Press on Generate Token button
                        6. Look for "access_token" in JWN Token area
    Initial checkpoint  Value
                        Timestamp of the earliest event to pull upon input 
                        configuration. Can be either ISO8601 datetime formated
                        string (2018-05-06T12:25:07+00:00), epoch milliseconds
                        (1525609507000) or "now" (without quotes) if only new
                        data is needed.
                        The TA will collect all available historical data if 
                        initial checkpoint value is 0 (zero)
    Collected reports   Reports data to collect. Can be "User Activity", 
                        "Alerts" or both 
    SSL Verification    Uncheck to bypass SSL verification (in case server uses
                        self-signed certificate)


Search ta_observeit_observeit_api.log for non-INFO messages:
index=_internal sourcetype="ta:observeit:log" NOT "INFO"


For support configuring or using the ObserveIT Add-On for Splunk, please
contact us at integrations@observeit.com. Support is provided during weekday
business hours (US, West Coast)

For help using the ObserveIT platform, please contact the ObserveIT support
organization. https://www.observeit.com/support/


TA-ObserveIT is provided under Apache License version 2.0


The TA was created using Splunk Add-on Builder App. Third-party software credits

Release Notes

Version 1.2.3
March 13, 2020

Version 1.2.2
Feb. 23, 2020

Version 1.2.0
Jan. 15, 2019

Simplified Input Configuration
User Activity report has been split into User Command Activity and User Interface Activity reports

Version 1.0.1
July 8, 2018

Bug fixes:
Enforced HTTPS connections

Version 1.0.0
June 19, 2018

* Initial release
* New:
ObserveIT Alerts and User Activities events in Splunk


Subscribe Share

AppInspect Tooling

Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2020 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.