icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading CloudKnox App for Splunk
SHA256 checksum (cloudknox-app-for-splunk_110.tgz) 6c5df554542d18e406d157381fad5b103c0bafaa04ad0eb9c26cf89968d002c8 SHA256 checksum (cloudknox-app-for-splunk_100.tgz) a43fd2084fa8aae8a9a75a0c726039e9d5ae0c74645c52c93ac6ba216f3d2755
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

CloudKnox App for Splunk

Splunk Cloud
This app is NOT supported by Splunk. Please read about what that means for youhere.
CloudKnox Security created an App for Splunk, which helps enterprises eliminate the #1 risk to cloud infrastructure – accidental misuse and malicious exploitation of high-risk permissions.

On average, human and nonhuman identities use less than 1% of permissions granted. This dangerous, ever-expanding, delta, known as the Cloud Permissions Gap, causes unnecessary stress to IAM and cloud infrastructure teams. The CloudKnox Cloud Permissions Management Platform helps organizations reduce this gap, and improve their MTTR, by quickly identifying permissions, roles and activity across multi-cloud or hybrid cloud infrastructure.

The CloudKnox App for Splunk provides several visualizations to view the "Permission Analytics Report" data collected by CloudKnox Add-on for Splunk.

CloudKnox App for Splunk


The CloudKnox App for Splunk builds a dashboard from the data provided by CloudKnox Add-on for Splunk.

  • Author - CloudKnox, Inc.
  • Version - 1.1.0
  • Build - 45
  • Creates Index - False
  • Prerequisites - This application is dependent on version 1.1.0 of CloudKnox Add-on for Splunk (TA-CloudKnox)
  • Compatible with:
    • Splunk Enterprise version: 7.3.x and 8.0.x
    • CloudKnox API v2
    • OS: Platform independent
    • Browser: Safari, Chrome and Firefox

Release Notes Version 1.1.0

  • Added support for CloudKnox platform audit logs
  • Added support for CloudKnox alerts
  • Added alert that triggers when a new super identity is indexed in Splunk

Upgrade Steps

No special steps are required to upgrade the CloudKnox App for Splunk from version 1.0.0 to version 1.1.0.


  • Standard Splunk configuration


  • This app has been distributed in two parts.

    1. CloudKnox Add-on for Splunk, which collects data from CloudKnox using REST API calls.
    2. CloudKnox App for Splunk, which adds dashboards to visualize the CloudKnox data
  • This app can be set up in two ways:

    1. Standalone Mode:
      • Install the CloudKnox App for Splunk and CloudKnox Add-on for Splunk.
      • The CloudKnox App for Splunk uses the data collected by CloudKnox Add-on for Splunk and builds dashboards on it.
    2. Distributed Environment:
      • Install the CloudKnox App for Splunk and CloudKnox Add-on for Splunk on the search head. User does not need to configure an account or create an input in CloudKnox Add-on for Splunk on search head.
      • Install only CloudKnox Add-on for Splunk on the heavy forwarder. User needs to configure account and needs to create data input to collect data from CloudKnox.
      • User needs to manually create an index on the indexer (No need to install CloudKnox App for Splunk or CloudKnox Add-on for Splunk on indexer).


CloudKnox App for Splunk can be installed through UI using "Manage Apps" > "Install app from file" or by extracting tarball directly into $SPLUNK_HOME/etc/apps/ folder.


Configure Macros:

Follow the below steps to configure the macros:

  1. Go to "Settings" > "Advanced search" > "Search macros".
  2. Select "CloudKnox App for Splunk" in "App" context dropdown.
  3. Click on cloudknox(2) macro from the shown table.
  4. In the macro definition default value will be index="main" sourcetype="cloudknox:$authSystemtype$:$category$". Update the definition with the index you used for data collection and save the configurations. For example: index="<your_index_name>" sourcetype="cloudknox:$authSystemtype$:$category$".
  5. Search cloudknoxindex macro and repeat the above step. The user is required to configure this macro in order to user the "cloudknox_super_identities_alert".
  6. Next search cloudknox_url_without_scheme macro and replace "xyz.cloudknox.io" with the URL of your CloudKnox instance. The user is required to configure this macro in order to use the drill-down functionality in the "CloudKnox Alerts" dashboard.

Note: If the user has selected a default index (Note: By default, Splunk considers only main index as default index) in "Data Input" configuration during CloudKnox Add-on for Splunk's configuration step, then no need to perform steps 3, 4 and 5.

Configure Savedsearches:

This App contains below 2 schedule searches:
cloudknox_super_identities_snapshot: This savedsearch updates cloudknox_si_snapshot KV store lookup to contain the latest super identities.
cloudknox_super_identities_alert: This alert is generated when any new super identity is added.

Configuring savedsearches is only required if the user wishes to use "cloudknox_super_identities_alert" which triggers an alert when a new super identity is indexed in Splunk. Follow the below steps to configure the savedsearches:

  1. Navigate to Settings > Searches, reports, and alerts
  2. Find "cloudknox_super_identities_snapshot" search
  3. Click on Edit > Edit Schedule
  4. Enable the search and optionally update the "Schedule" and "Time Range" as per the requirement.
  5. Thereafter find the "cloudknox_super_identities_alert" alert
  6. Click on Edit > Edit Alert
  7. Optionally modify the "Time Range" and "Cron Expression" as per the requirement
  8. Add appropriate action to perform when the alert is triggered
  9. Click "Save" to update the settings and enable the alert


  • If you do not see any results in search then check whether you have correctly configured index in the cloudknox(2) macro. Also you can verify if the data is there in the index by running the search query index="<your_index_name>" source="cloudknox".


Note: $SPLUNK_HOME denotes the path where Splunk is installed. Ex: /opt/splunk


Copyright (c) 2020 CloudKnox, Inc.

Release Notes

Version 1.1.0
Oct. 25, 2020

* Added support for CloudKnox platform audit logs
* Added support for CloudKnox alerts
* Added alert that triggers when a new super identity is indexed in Splunk

Version 1.0.0
Aug. 5, 2020


Subscribe Share

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
Splunk, Splunk>,Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk Inc. in the United States and other countries. All other brand names,product names,or trademarks belong to their respective owners.