Refer to the User Guide or follow instructions below.
Refer to System Requirements document
Add-on installation on SHC is not supported
Installing on stand-alone Splunk instance
Refer to Splunk Documentation for instructions
Installing TA-ObserveIT in a distributed Splunk Enterprise deployment
Install the TA on a non-clustered search head or a heavy forwarder.
Interval API polling interval in seconds Index Destination index. Either select index name from a drop-down list or type index name. Make sure the index exists at your deployment's indexing tier before saving input configuration. Reports API URL ObserveIT API URL.Non-secure connections are not supported. e.g.: https://_MACHINE_NAME_/v2/apis/report;realm=observeit/reports API Token ObserveIT API token. To obtain the token: 1. Navigate to https://_MACHINE_NAME_/v2/apps/portal/home.html 2. Press on 'Credentials' tab 3. Press on 'Create App' button 4. Press on the create application name 5. Press on Generate Token button 6. Look for "access_token" in JWN Token area Initial checkpoint Value Timestamp of the earliest event to pull upon input configuration. Can be either ISO8601 datetime formated string (2018-05-06T12:25:07+00:00), epoch milliseconds (1525609507000) or "now" (without quotes) if only new data is needed. The TA will collect all available historical data if initial checkpoint value is 0 (zero) Collected reports Reports data to collect. Can be "User Activity", "Alerts" or both SSL Verification Uncheck to bypass SSL verification (in case server uses self-signed certificate)
Search ta_observeit_observeit_api.log for non-INFO messages:
index=_internal sourcetype="ta:observeit:log" NOT "INFO"
For support configuring or using the ObserveIT Add-On for Splunk, please
contact us at firstname.lastname@example.org. Support is provided during weekday
business hours (US, West Coast)
For help using the ObserveIT platform, please contact the ObserveIT support
TA-ObserveIT is provided under Apache License version 2.0
The TA was created using Splunk Add-on Builder App. Third-party software credits
Simplified Input Configuration
User Activity report has been split into User Command Activity and User Interface Activity reports
Enforced HTTPS connections
* Initial release
ObserveIT Alerts and User Activities events in Splunk
Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.