icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading TA Crowdstrike Devices
SHA256 checksum (ta-crowdstrike-devices_100.tgz) 37c7f00456aa34ce4d76f73a8a9906bc487ff4dc5dc244ce0294b5af40d952ec
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

TA Crowdstrike Devices

Splunk AppInspect Passed
Admins: Please read about Splunk Enterprise 8.0 and the Python 2.7 end-of-life changes and impact on apps and upgradeshere.
This Add-on for Splunk is designed to get data about devices (servers, workstations, laptops, mobile) connected to CrowdStrike and index it in Splunk for inventory use cases.

This addon works with SPLUNK >V7.X and V8.X AND CROWDSTRIKE'S OAUTH2
The add-on is built with Splunk Add-on Builder

  • App 3.0.1
  • App Build 2

Release Notes - Version 1.0.0 (Initial Release)

CrowdStrike Devices Add-on


Technology Add-on (TA) for CrowdStrike Devices enables current CrowdStrike customers to ingest devices data into Splunk.

  • Creates Index - False
  • OS: Platform independent
  • Heavy Forwarder Required

Compatible with: Splunk Enterprise version: 7.0.x, 7.1.x, 7.3.x, 8.0.x


1.In order to successfully ingest event data a valid Client ID and Client Secret are going to be needed. Based on this authentication a token is generated and used for each API Call.


Install the Add-on on Heavy Forwarders or Splunk Enterprise Standalone Instance. Downloading the TA package
1. In the UI navigate to: “Manage Apps”
2. In the top right corner select “Install app from file”
3. Select ‘Choose File’ and select the TA package (.spl)
4. Select ‘Upload’ and follow the prompts – restarting Splunk.

Configuring CrowdStrike Account(s)
1. In Configuration\account navigate to “Add” button in right
- Account name * - Set name for the account
- Username * - Fill in with a valid Client ID
- Password * - Fill in with a valid Client Secret

  1. In Configuration\add-on-settings (change the default value if needed) No matter that you are going to change the default value or not, click save.

Configuring CrowdStrike Devices Input(s)

The inputs should be configured only on heavy-forwarders or Splunk Enterprise standalone instance.

There are 3 REST APIs endpoints that are used:
- /oauth2/token
- /devices/queries/devices/v1
- /devices/entities/devices/v1

INFO:In order to authenticate successfully, the client application need to use authentication header with each API call. The authentication header provides a token, which originally should be obtained by calling the Logon service via username and password.

  1. Navigate to Falcon Spotlight Add-on for CrowdStrike Devices
  2. In the sub-menu select "Inputs”
  3. In the right corner select “Create New Input”
  4. Enter a unique name for the configuration
  5. From the drop down select the appropriate account for the input type
  6. Enter the time interval for input
  7. Select the index to store the data. NOTE The main index is used by default unless otherwise. If data is to be sent to a specific indexer, ensure the outputs.conf file is adjusted with the Indexer’s IP address.

The default LOG level is set to: INFO
Using Searches
The data should be indexed in the index which you selected or the main one.


If not try to check the internal log:
index=_internal sourcetype="ta:crowdstrike:devices:log"

Using Log Files
- $SPLUNK_HOME/var/log/splunk/ta_crowdstrike_devices_crowdstrike_devices_query.log

Error codes category regarding REST:
- 1xx: Informational – Communicates transfer protocol-level information.
- 2xx: Success – Indicates that the client’s request was accepted successfully.
- 3xx: Redirection – Indicates that the client must take some additional action in order to complete their request.
- 4xx: Client Error – This category of error status codes points the finger at clients.
- 5xx: Server Error – The server takes responsibility for these error status codes.

- Support Offered: Yes
- Support Email: info@bright.consulting
- Copyright (C) by BRIGHT Consulting JSC. All Rights Reserved.

Release Notes

Version 1.0.0
Oct. 9, 2020


Subscribe Share

AppInspect Tooling

Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2020 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.