Setting Up Splunk

To add Splunk as a destination in the Infoblox Portal, complete the following:

1. Log in to the Infoblox Portal.
2. Click Configure > Integrations > Data Connector.
3. On the Destination Configuration tab, from the Create drop-down list, choose Splunk.
4. In the Create Splunk Destination Configuration dialog, complete the following:
   • Name: Enter the name of the destination. Select a name that best describes the destination and can be distinguished from other destinations. The field length is 256 characters.
   • Description: Enter the description of the destination. The field length is 256 characters.
   • State: Use the toggle switch to enable or disable the destination configuration. By default, the State is disabled. If the destination configuration is disabled, you will not be able to select this destination when creating a traffic flow.

   • Tags: Click Add and specify the following to associate a key with the destination:

     • KEY: Enter a meaningful name for the key, such as a location or department.  

     • VALUE: Enter a value for the key. For details, see Managing Tags.

5. In the SPLUNK DETAILS section, complete the following:
   • FQDN/IP: Enter the FQDN or the IP address of the Splunk indexer along with the port to which you want the Data Connector to send data. User can add multiple destination servers separated by commas. If the same source data type is configured in more than one flow, then all servers get the same copy of the data. To avoid the same copy of data on multiple servers, Infoblox recommends configuring different source data types.
   • Index Name: Enter the name of the Splunk index. An index is a collection of directories and files that are located under $SPLUNK_HOME/var/lib/splunk.
   • Log Format: Choose one of the following log format from the drop-down menu:
     • Infoblox Legacy: Choose this to send data in CSV format.
     • Splunk CIM: Choose this to send data in Splunk Common Information Model format. Depending on your selection, the log messages you have chosen will be sent to Splunk in the selected format.
     • Insecure Mode: Based on the mode that you intend to use for data transport, perform one of the following:
       • Insecure mode: By default, the Insecure Mode checkbox is enabled. Retain the selection if you intend to use the insecure mode.
       • Secure mode: Clear the Insecure Mode checkbox and complete the following steps to upload certificates for secure transport.
6. (For secure mode only) In the Splunk Forwarder Certificate section, complete the following:
   • Forwarder Certificate: Click Select file, browse to the respective path, and upload the forwarder certificate for the Splunk forwarder. You need to first generate a certificate request in .PEM format. This certificate request must be signed by the third-party Certification Authority for you to get a forwarder certificate. For more information, refer to the Splunk documentation.
   • Certificate Key Passphrase: Enter the key passphrase for the certificate.
   • (For secure mode only) In the Splunk CA Certificate section, click Select file, browse to the respective path, and upload the CA signed certificate for the Splunk indexer.
7. Click Save & Close to create the destination.

For information on updating the Splunk server's configuration files, see Updating the Configuration Files.