Splunk v1.0.9 FAQ

Updated 1 month ago by Elvis Hovor

This document explains how to install the TruSTAR App and Add-on for Splunk in an air-gapped environment or from the CLI, how to update or uninstall it, and covers basic troubleshooting steps.

Have Splunk ES? Reference our guides here

What's New in Release 1.0.9

  • Improved ingestion Options - The updates provides our users with the ability to ingest not only TruSTAR reports but also their IOC list that were submitted to TruSTAR using IOC management. IOC management is a capability that allows users to submit large amounts of IOCs into TruSTAR as a collection. Users can now ingest their IOC lists into Splunk to be correlated against.
  • Splunk App Dashboard Update - The new App dashboard is more streamlined making relevant information more visible to the user. Users can now see the sources/enclaves from which indicators were ingested into Splunk.
  • Optimized Queries - The TruSTAR app is more efficient in data ingest and has optimized Splunk queries.

Installing in an Air-Gapped Environment

When the instance where you want to install the TruSTAR App and Add-on is not connected to the internet, you will need to download the TruSTAR files and then manually move them to the instance. 

Download the files:


Installing from the CLI (Command Line Interface)

TruSTAR recommends installing the App from the user interface but you can choose to install from the command line by following these instructions:

  1. Download the files:


  1. Execute the following commands:
  • ./splunk install app TA-trustar.spl
  • ./splunk install app Trustar.spl 

Uninstalling the TruSTAR App

To manually delete the integration:

  • Go to $SPLUNK_HOME/etc/apps/ and remove TA-trustar and Trustar 
  • Restart Splunk

Updating the TruSTAR Integration

You can update the integration from the user interface, the command line, or manually.

To update through the user interface:

  1. Click Manage Apps.
  2. Find the Trustar App And TA entry from list.
  3. Click the link of the newer version under Version Column on related entry.
  4. Install the TA first, followed by the App.

To update from the command line:

  1. Download the tar of App or TA from Splunkbase.
  2. Stop the Splunk server.
  3. Execute this command: $SPLUNK_HOME/bin/splunk 
  4. Install app using this command: APP_NAME.tgz –update 1 –auth username:password
  5. Restart the Splunk Server.

To update manually:

  1. Click Manage Apps.
  2. Click Install App from File.
  3. Locate the Trustar TA file on your local drive.
  4. Select Upgrade App.
  5. Click Upload.
  6. Repeat the above steps for the TruSTAR app.


Q. Why is my Dashboard not being populated?

A: On initial setup of the TruSTAR app it takes about 24 hours depending on the amount of data being ingested into TruSTAR for all data to be downloaded into the splunk and the dashboard to be fully populated. To confirm if data is being ingested selected the imported data tab and check if new reports are being downloaded. Reach out to TruSTAR support if the dashboard isn't fully populated after 48 hours.

Q. Can Splunk index my TruSTAR logs to an index of my choice?

A:T Yes, and this is a convenient way to use the Splunk user interfaceto look at the logs generated by your TruSTAR integration components.

  • Create a file/directory monitor input and have it monitor this directory: $SPLUNK_HOME/var/log/trustar/ (replace $SPLUNK_HOME with your splunk directory.) That directory will have 2 log files: "trustar_match.log" and "trustar_modinput.log".
    • "trustar_modinput.log": this is the log file for the TA.
    • "trustar_match.log": this is the log file for the app.

Q. Where can I find my checkpoint file?

A: A checkpoint file for each rest input can be found in this directory: $SPLUNK_HOME/var/lib/splunk/modinputs/trustar/ and the filename for a given rest input's checkpoint will be the name of the rest input.Known Issues

Q. How do I find out if TruSTAR app search is consuming a lot of Splunk memory?

This Splunk knowledge base document has information on how to identify your top memory consuming searches: http://docs.splunk.com/Documentation/Splunk/7.0.0/Troubleshooting/Troubleshootmemoryusage

Q. Why do I get an authentication error when configuring the TruSTAR App.

  • Check to make sure all your credentials are entered correctly. 
  • Verify that you have write and read access for the enclave you have selected. 
  • Check to see if your firewall is blocking traffic from TruSTAR.

Q. How much storage does TruSTAR use in Splunk?

The TruSTAR app will consume some storage; this is standard for threat intelligence applications that let you match intel against your local Splunk instance. The TruSTAR platform focuses on high value IOCs that have been submitted by other analysts, which means you do not receive large volumes of data.

Each TruSTAR report is approximately 10KB (could be smaller or larger based on the amount of context in the report but should not be significantly different).
A daily download of IOC's should be around 250-500KB (depending on how much data is available in your enclave and the community).

Q How do I manage the kvstore limits in Splunk Cloud?

Splunk Cloud has a hard limit of letting kvstores reach 3 GB in size. At 2 GB, a ticket is automatically generated and Splunk Cloud support reaches out to the customer to have them reduce the size of the kvstore.

You can use this Splunk search to trim your kvstores:

| inputlookup _______[kvstore name]______ | 
where NOT (_time<relative_time(now(), "-180m") |
outputlookup ______[kvstore name])______

This search deletes all entries from a kvstore that were added to that kvstore more than 3 hours before the current time. If you want to change that increment, you can edit the “-180m” to whatever time you prefer, for example, “-1d” or “-1w”.

Q. Will TruSTAR work with a Universal Forwarder?

Our Technology Add-on requires a heavy forwarder if you are deploying in a cluster setup. The Universal Forwarder does not come bundled with Python or a user interface, both of which are required to setup our Technology Add-on. We need Python for Splunk to connect to our REST API and do some pre-processing on the response. Universal Forwarders do not have this capability to connect to a REST API and process data before its indexed.

Splunk documentation for upgrading to a Heavy Forwarder: https://docs.splunk.com/Documentation/Forwarder/7.0.0/Forwarder/Upgradeauniversalforwardertoaheavyforwarder

Q. Can I configure custom fields for matches?

For example, can I just match on TruSTAR's IPs or URLs but not everything? This feature is currently not possible with TruSTAR's Splunk V1 app, however users can run custom search queries to . The new Splunk refresh, TruSTAR Splunk App V2 will have be more configurable and users will have ability to select indexes for the app to search against.

Q. Why am I receiving only old reports when pulling reports from an enclave?

It is possible that a stored checkpoint file may have a default date time as it looks back and not respecting the date applied in the TruSTAR app. You can find the checkpoint file directory here: https://support.trustar.co/article/jhyfaoni2r-faq-for-splunk-integration

By wiping the checkpoint it will properly recreate itself and will restart the downloading no further than the date time in the config specified when applying these changes. We also recommend increasing the scan interval to allocate more time to ingest reports.

Known Issues

The Export PDF function on the TruSTAR app doesn’t work. How can I export a report?

The Splunk application does not allow the full download of a PDF in the format used by the TruSTAR App. As a workaround, you can use your browser to save the report; this will guarantee that the full report is downloaded with an appearance close to the original.

The Splunk integration does not have the ability to generate report or indicator tags in Station

How Did We Do?