The Ivanti Device and Application Control App for Splunk provides pre-built dashboards for IDAC data that is imported with the IDAC Add-on for Splunk.
The dashboards in this app expose both statistics and detailed views on all activities - blocks, shadowing, admin audit activity and agent updates.
An accompanying Technology Add-On (TA) provides properties (props.conf) and sample inputs (inputs.conf) to ingest and parse IDAC events.
This app has been developed and tested against the latest release of Splunk available at the time of development: 8.1.3. The app should work on Splunk 7.x without any issues.
Install the Ivanti IDAC App for Splunk on search heads for dashboards and CIM-compliant field aliases.
idac_index macro to specify which Splunk index is used to store the IDAC event data; by default this macro is set to
For ingestion of device control event data, install the IDAC TA (https://splunkbase.splunk.com/app/5532/) where data from IDAC is first parsed - heavy forwarders, or indexers if no heavy forwarder is used between a universal forwarder (on the IDAC server) and the indexing tier.
Ensure that users of the app are members of a role configured to search, by default, the relevant index containing ivanti:idac:* events.
For support, please raise a support call with Ivanti: https://www.ivanti.com.au/support/contact
Added drilldowns to main dashboard.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.