Splunk Integration

In this section, we guide you on how to integrate Jscrambler into your Splunk Enterprise Instance so you have more visibility over Jscrambler's Real-Time Notifications.

First, there are some things to be configured on your Splunk Instance's end:

Splunk Instance configurations

In order to receive data on Splunk, you'll need to enable the HTTP Event Collector on your Splunk instance.

Enabling HTTP Event Collector

Go to Settings > Data Inputs. Then, click on HTTP Event Collector, and click on the New Token button. You will be shown a form:

HTTP Event Collector Setup Form

The values of these fields are not important at this stage, this is just an example, you can adapt it according to your use case. After you complete it, click Next, and you'll be prompted to select the Allowed Indexes and the default index. We advise you to create a specific index for Jscrambler notifications, but you can also use an existing one if you want to.

To create a new index, you can click Create a new index link.

HEC default index selection

You will be prompted with a form. In this step, you only need to choose a name for the Index, which can be any name you want. As an example, we chose the name jscrambler_notifications, and left everything else as is:

Index Setup Form

The remainder of the fields can be customized to your use case and needs. For a more thorough guide on how to create custom indexes, please check the Splunk official documentation.

After the index is created, you can select it and click Review. Validate the settings and click Submit, once you do, your Token will be created.

Your Splunk instance is now ready to receive Jscrambler Notifications through the HEC created.

Add a Webhook driver for Splunk

Go to the Integrations page (this is only available on Jscrambler 8.0 and above) of your Jscrambler application and create a new Splunk Notification Driver.

Webhook Notification Driver Form

Specify the following fields:

  • Title: A readable name to identify the driver
  • Endpoint to send a post request: The URL of the webhook of your splunk instance. The url should be like this: $PROTO://$SPLUNK_INSTANCE_URL:$PORT/services/collector/raw, if you've not changed the default port, it should be 8088. The SPLUNK_INSTANCE_URL can differ slightly depending on what kind of setup you are using (Splunk Cloud Platform or Enterprise), for more info check the documentation
  • HTTP Event collector token: The token you saved when you created the HEC

After filling the form, you can click Create. Your real-time notifications should now be sent to your Splunk instance.

Visualizing data on Splunk

You can install a Jscrambler Splunk App from splunkbase marketplace. This comes with a pre-configured dashboard where you can view the notifications and their details. After opening the dashboard you just have to select the index where the notifications are stored (the one you've chosen when creating the HEC) and the time range.

There is an additional input field named Jscrambler Dashboard URL, this is used on buttons/links that redirect you to the Jscrambler Dashboard. There is no need to change this unless you are using a Private Cloud or Enterprise VM of Jscrambler, the default value is Jscrambler SaaS.

Here is an example of how the dashboard will look like: Splunk App Dashboard

Resources