icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Avalon Add-on for Splunk
SHA256 checksum (avalon-add-on-for-splunk_100.tgz) e6758fd716f26ca16b5eafc866147734b007bccb8c837df128b162af7ae16f0e
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

Avalon Add-on for Splunk

Splunk AppInspect Passed
Admins: Please read about Splunk Enterprise 8.0 and the Python 2.7 end-of-life changes and impact on apps and upgradeshere.
Overview
Details
King & Union's Avalon Add-On for Splunk enables the interchange of data between Avalon and Splunk to support security investigations leveraging both platforms. The add-on provides custom search commands that allow for both the creation and update of Avalon workspaces from a Splunk search, as well as the retrieval of node and workspace data on demand. All add- on activity, to include details about workspaces and nodes, are visible in the Avalon Summary dashboard.

Download a 45-day free Avalon account at https://www.kingandunion.com/splunk. Create a new Avalon account by October 31st and you'll be entered to win a Rad Power Bike!

Avalon Add-On for Splunk

Overview

The Avalon Add-On for Splunk enables the interchange of data between Avalon and Splunk to support security investigations leveraging both platforms. The add-on provides custom search commands that allow for both the creation and update of Avalon workspaces from a Splunk search, as well as the retrieval of node and workspace data on demand. All add-on activity, to include details about workspaces and nodes, are visible in the Avalon Summary dashboard.

Download a 45-day free Avalon account at www.kingandunion.com/splunk.

Installation & Configuration

The Avalon Add-On for Splunk can be installed directly from Splunkbase within your Splunk instance (Apps > Find more apps) or by uploading the file downloaded outside of Splunk (Apps > Manage Apps > Install app from file).

IMPORTANT In distributed Splunk architectures, the add-on must be installed at the search head tier. The search commands that interact with Avalon run on the search head only. Some commands will result in data being indexed to the avalon index. To allow for indexing to occur in a distributed environment, create the avalon index on your indexer(s).

Once installed, login to your Splunk instance and update the add-on configuration (add-on set up link in Manage Apps) and define the following:

  1. Select configure app
  2. Fill the configuration details for
    • API Authorization Token: Define the API key that will be used to communicate with your Avalon account. Available here
    • Node Import Limit: The maximum number of nodes to retrieve and index.
  3. Set the Avalon app permissions to All apps (system) by clicking on Manage Apps and then clicking on Permissions in the Avalon App Sharing column
  4. Create the avalon index by clicking on settings, indexes, new index and create an index named avalon with all defaults

Operation

The Avalon Add-On for Splunk provides the following custom search commands for interacting with Avalon inside of Splunk Enterprise:

  • avalon: Create or update workspaces with data from a Splunk search.
  • pullworkspaces: Retrieve workspace data from Avalon.
  • pullnodes: Retrieve node data from Avalon.

Creating a Workspace

Create a search in Splunk that results in the values you would like to send to Avalon in a table format. Once the results are to your liking, pipe to the avalon create_workspace command.
Consider the following example:

index=apache clientip=10.10.5.* | dedup clientip | table clientip | avalon create_workspace=”httpd”

This search would result in all 10.10.5.* client IP addresses being added to a new workspace named httpd. The new workspace will be immediately available in Avalon.

When data is sent to Avalon, an event is written to the avalon index. To review the indexed data, run the following search over the desired time range:

index=avalon sourcetype=avalon_push

Updating a Workspace

Create a search in Splunk that results in the values you would like to send to Avalon in a table format. Once the results are to your liking, pipe to the avalon update_workspace command.

Consider the following example:

index=apache clientip=10.10.7.* domain=*.gov | dedup clientip domain | table clientip domain | avalon update_workspace=”httpd”

This search would result in all 10.10.7.* client IP addresses and .gov domain values being added to the httpd workspace previously created. Based on the prior example, the httpd workspace would now contain nodes reflecting the 10.10.7.* and the 10.10.5.* client IP addresses, as well as the .gov domains.

When data is sent to Avalon, an event is written to the avalon index. To review the indexed data run the following search over the desired time range:

index=avalon sourcetype=avalon_push

Retrieving Node Data

Run the pullnodes command by itself with either a workspace ID or title to retrieve node and workspace metadata.

| pullnodes id=123 would retrieve node data and workspace meta from the workspace with an ID of 123.

| pullnodes title=”httpd” would retrieve node data and workspace meta from the httpd workspace.

The search command will show the data that was returned in the Splunk interface. It also writes an event to the avalon index. To review the indexed data run the following search over the desired time range:

index=avalon sourcetype=avalon_nodes

Retrieving Workspace Data

Run the pullworkspaces command to retrieve a list of available workspaces and metadata.

| pullworkspaces

Beyond providing the means to quickly view what workspaces are available, the command is also called hourly via saved search to populate a lookup containing the workspace ID and workspace title.

Reporting

The Avalon Summary dashboard provides visibility and insight into the add-on’s operation. The dashboard panels are as follows and are scoped by workspace, node type, and time range unless otherwise indicated:

  • Total Nodes: The distinct count of nodes retrieved by the pullnodes command and indexed in Splunk.
  • Overlapping Nodes: The number of nodes that exist in more than one workspace.
  • Total Pulls: The number of times the pullnodes command was run.
  • Total Pushes: The number of times the avalon create_workspace and avalon update_workspace commands were run.
  • Last Pull: The most recent timestamp of the last pullnodes execution.
  • Last Push: The most recent timestamp of the last avalon create_workspace or avalon update_workspace execution.
  • Nodes by Workspace over Time: The count of nodes by workspace.
  • All Workspaces: The list of all available workspaces, workspace meta, and node count. The list is pulled from indexed events and also the workspaces lookup table.
  • Clicking on a value in the Last Pull or ID columns will open a new window and run the pullnodes search command for the particular workspace.
  • Clicking on the Title or Node Count values will open the workspace in Avalon.
  • Count by Node Type: A chart showing a breakdown of nodes by node type and workspace.
  • Activity over Time: A chart showing all “push” and “pull” activity between Splunk and Avalon.
  • Nodes: A list of nodes with node type and the workspace(s) the node is found in. The list may be further refined by entering a value in the Node Search field.
  • Clicking on a table row will drill down to search for the node in your indexed data.
  • Clicking the Node Search link will search for all nodes in your indexed data.
  • Clicking the Update Lookup link will write the results in the Nodes table to the avalon_nodes lookup.

The avalon_nodes lookup can be used with your other searches, reports, and alerts to add context or otherwise enrich data in Splunk. For example, an alert could be created that sends an email or performs another action when a particular node value appears in your indexed data.

Release Notes

Version 1.0.0
Aug. 16, 2019

Initial release

0
Installs
9
Downloads
Share Subscribe LOGIN TO DOWNLOAD

Subscribe Share

AppInspect Tooling

Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2019 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.