icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading CloudKnox App for Splunk
SHA256 checksum (cloudknox-app-for-splunk_100.tgz) a43fd2084fa8aae8a9a75a0c726039e9d5ae0c74645c52c93ac6ba216f3d2755
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

CloudKnox App for Splunk

Splunk AppInspect Passed
Admins: Please read about Splunk Enterprise 8.0 and the Python 2.7 end-of-life changes and impact on apps and upgradeshere.
CloudKnox Security created an App for Splunk, which helps enterprises eliminate the #1 risk to cloud infrastructure – accidental misuse and malicious exploitation of high-risk permissions.

On average, human and nonhuman identities use less than 1% of permissions granted. This dangerous, ever-expanding, delta, known as the Cloud Permissions Gap, causes unnecessary stress to IAM and cloud infrastructure teams. The CloudKnox Cloud Permissions Management Platform helps organizations reduce this gap, and improve their MTTR, by quickly identifying permissions, roles and activity across multi-cloud or hybrid cloud infrastructure.

The CloudKnox App for Splunk provides several visualizations to view the "Permission Analytics Report" data collected by CloudKnox Add-on for Splunk.

CloudKnox App for Splunk


The CloudKnox App for Splunk provides several visualizations to view the "Permission Analytics Report" data collected by CloudKnox Add-on for Splunk.

  • Author - CloudKnox, Inc.
  • Version - 1.0.0
  • Build - 19
  • Creates Index - False
  • Prerequisites - This application is dependent on CloudKnox Add-on for Splunk (TA-CloudKnox)
  • Compatible with:
    • Splunk Enterprise version: 7.3.x and 8.0.x
    • OS: Platform independent
    • Browser: Safari, Chrome and Firefox


  • Standard Splunk configuration


  • This app has been distributed in two parts.

    1. CloudKnox Add-on for Splunk, which collects data from CloudKnox using REST API calls.
    2. CloudKnox App for Splunk, which adds dashboards to visualize the CloudKnox data
  • This app can be set up in two ways:

    1. Standalone Mode:
      • Install the CloudKnox App for Splunk and CloudKnox Add-on for Splunk.
      • The CloudKnox App for Splunk uses the data collected by CloudKnox Add-on for Splunk and builds dashboards on it.
    2. Distributed Environment:
      • Install the CloudKnox App for Splunk and CloudKnox Add-on for Splunk on the search head. User does not need to configure an account or create an input in CloudKnox Add-on for Splunk on search head.
      • Install only CloudKnox Add-on for Splunk on the heavy forwarder. User needs to configure account and needs to create data input to collect data from CloudKnox.
      • User needs to manually create an index on the indexer (No need to install CloudKnox App for Splunk or CloudKnox Add-on for Splunk on indexer).


CloudKnox App for Splunk can be installed through UI using "Manage Apps" > "Install app from file" or by extracting tarball directly into $SPLUNK_HOME/etc/apps/ folder.


Configure Index in Macro:

If the user has selected a default index (Note: By default, Splunk considers only main index as default index) in "Data Input" configuration during CloudKnox Add-on for Splunk's configuration step, then no need to perform this step. But if the user has given any other index in "Data Input" configuration, then perform the following steps:

  1. Go to "Settings" > "Advanced search" > "Search macros".
  2. Select "CloudKnox App for Splunk" in "App" context dropdown.
  3. Click on cloudknox(2) macro from the shown table.
  4. In the macro definition default value will be index="main" sourcetype="cloudknox:$authSystemtype$:$category$". Update the definition with the index you used for data collection. For example: index="<your_index_name>" sourcetype="cloudknox:$authSystemtype$:$category$".


  • If you do not see any results in search then check whether you have correctly configured index in the cloudknox(2) macro. Also you can verify if the data is there in the index by running the search query index="<your_index_name>" source="cloudknox".


  • Remove $SPLUNK_HOME/etc/apps/CloudKnoxAppforSplunk
  • To reflect the cleanup changes in UI, Restart Splunk Enterprise instance


Copyright (c) 2020 CloudKnox, Inc.

Release Notes

Version 1.0.0
Aug. 5, 2020


Subscribe Share

AppInspect Tooling

Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2020 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.