The setup_splunk_standalone.py script is used to prepare a Splunk standalone installation for integration with the Intsights Virtual Appliance.
SSH to the TIP Appliance and enter expert mode by typing 2 and then 4.
$ docker exec -it agent-integrator python3 integrator/integrators/splunk/scripts/setup_splunk_standalone.py --help
usage: setup_splunk_standalone.py [-h] -H HOSTNAME --ssh-username SSH_USERNAME
--api-username API_USERNAME
[--restart | --reload-transforms]
Setup script for Intsights <-> Splunk integration.
optional arguments:
-h, --help show this help message and exit
-H HOSTNAME, --hostname HOSTNAME
The hostname for Splunk.
--ssh-username SSH_USERNAME
The SSH user for Splunk.
--api-username API_USERNAME
The REST API username for Splunk.
Apply transforms.conf configuration:
--restart Restart Splunk after finishing the configuration.
--reload-transforms Reload the transforms.conf for Splunk after finishing
the configuration.
$ docker exec -it agent-integrator python3 integrator/integrators/splunk/scripts/setup_splunk_standalone.py -H 192.168.0.27 --ssh-username root --api-username admin --reload-transforms
Please enter the Splunk REST API password for user admin:
Please enter the Splunk SSH password for user localuser:
Deleting Splunk App intsights_ioc_app (if it exists).
Creating Splunk App intsights_ioc_app.
Deleting IOC KV store "intsights_ioc_store" (if it exists).
Creating IOC KV store "intsights_ioc_store".
Configuring IOC KV store "intsights_ioc_store".
Getting Splunk UI login.
Reloading transforms.conf
Splunk configuration finished successfully.
$ docker exec -it agent-integrator python3 integrator/integrators/splunk/scripts/setup_splunk_standalone.py -H 192.168.0.27 --ssh-username root --api-username admin --restart
Please enter the Splunk REST API password for user admin:
Please enter the Splunk SSH password for user localuser:
Deleting Splunk App intsights_ioc_app (if it exists).
Creating Splunk App intsights_ioc_app.
Deleting IOC KV store "intsights_ioc_store" (if it exists).
Creating IOC KV store "intsights_ioc_store".
Configuring IOC KV store "intsights_ioc_store".
Restarting Splunk.
Splunk configuration finished successfully.
$ docker exec -it agent-integrator python3 integrator/integrators/splunk/scripts/setup_splunk_standalone.py -H 192.168.0.27 --ssh-username root --api-username admin --reload-transforms --debug
Please enter the Splunk REST API password for user admin:
Please enter the Splunk SSH password for user root:
Deleting Splunk App intsights_ioc_app (if it exists).
Performing HTTP DELETE request to URL https://192.168.0.27:8089/services/apps/local/intsights_ioc_app, args: (), kwargs: {}.
HTTP status code was 200, headers "{'Content-Type': 'text/xml; charset=UTF-8', 'X-Frame-Options': 'SAMEORIGIN', 'Date': 'Wed, 29 Nov 2017 12:06:49 GMT', 'Connection': 'Keep-Alive', 'X-
Content-Type-Options': 'nosniff', 'Content-Encoding': 'gzip', 'Server': 'Splunkd', 'Cache-Control': 'no-store, no-cache, must-revalidate, max-age=0', 'Content-Length': '504', 'Expires'
: 'Thu, 26 Oct 1978 00:00:00 GMT', 'Vary': 'Accept-Encoding, Cookie, Authorization'}", body: "<?xml version="1.0" encoding="UTF-8"?>
--- Trimmed for brevity ---
Refreshing admin/transforms-lookup OK
DONE
Splunk configuration finished successfully.