Splunk TA Add-On Installation

Instructions for installing and configuring the Cortex® Xpanse™ Expander Splunk TA.
To install the Cortex® Xpanse™ Expander Splunk TA.
  1. In the Splunk homepage, navigate to the app directory by clicking the
    Apps
    icon.
  2. Click
    Browse more apps
    , and search for
    Expanse
    to find the Cortex Xpanse Expander add-on.
  3. To install the Cortex Xpanse Expander add-on, click
    Install
    .
  4. If the app is not viewable in the App store, you can download the Add-On by browsing to https://splunkbase.splunk.com/app/4622/ .
  5. Once installed, click
    Go Home
    . The Cortex Xpanse Expander add-on is now ready to configure.
The Cortex Xpanse Expander add-on is not a standalone app, but rather an add-on that you can configure to serve as a Splunk data input. Therefore, there is no separate user interface for the add-on and clicking
Open the App
does not show anything.
To configure Cortex Xpanse Expander data as the Data Input.
  1. Once you’ve installed your add-on, find the navigation bar at the top of the screen, and select “Settings” → “Data” → “Data inputs” to access the Splunk
    Data Input Management
    page.
  2. In the
    Data Input Management
    page, under
    Local inputs
    , select
    Expanse Expander
    New
    to begin to configure your Cortex Xpanse Expander data as a Splunk data input.
  3. The Cortex Xpanse Expander URL field automatically populates with the Cortex Xpanse Expander’s API endpoint URL. Specify your API token in the appropriate field.
  4. (OPTIONAL) You can make the Cortex Xpanse Expander Add-on proxy aware by inputting an optional proxy server URL (proxy_url) and the path to a custom CA you trust, in PEM format (custom_ca_pem_path).
  5. (OPTIONAL) You can configure your Cortex Xpanse Expander data input to refresh using a time window filter strategy (refresh_time_window_filter_days), refresh by limiting the number of results per API call (refresh_page_size), and use a custom data update interval (update_interval_hours ).
  6. Click
    Next
    . Your Qadium Expander data is now set up as a Splunk data input.
  7. In the homepage, click
    Search and Reporting
    to navigate to the
    Search
    page and begin querying.
  8. Using Splunk data query practices, you can now access and query your Cortex Xpanse Expander data through Splunk.

Recommended For You