Splunk App & Technology Add-On [old version]

Updated 6 months ago by Elvis Hovor

Splunk App & Tech Add-On [Current Version]


This article provides a description of the Splunk App built for TruSTAR and a step by step guide to install, setup and troubleshoot the TruSTAR App for Splunk.

The Splunk App allows users to utilize context of TruSTAR’s IOCs and incidents within their Splunk analysis workflow. TruSTAR arms security teams with the high-signal intelligence from sources such as internal historical data, open and closed intelligence feeds and anonymized incident reports from TruSTAR’s vetted community of enterprise members.

Workflow Illustration


The details below summarizes the prerequisites and requirements. Please make sure below components are downloaded/available.

Splunk Enterprise 6.5.0 or above. 

Splunk Enterprise can be downloaded from here: https://www.splunk.com/en_us/download/splunk-enterprise.html

To install Splunk Enterprise, follow guidelines given in below link: http://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/InstallSplunk

Environment Variable: Set environment variable SPLUNK_HOME.

App Installation

You'll need to download the bundles in this table.  Links to the downloads are below this table in the "Installation" section.


Bundle Name



Technology Add-on for Trustar

This bundle will fetch reports and IoC data from TruSTAR using modular input and indexes it which then can be searched. This bundle will need to be installed first.


TruSTAR App for Splunk

This bundle will have all the dashboards to display data received from TruSTAR Station.


    The installation process for TruSTAR app will be different based on your Splunk environment.

    Manual Installation

    We have recently updated our Splunk app, and it is currently undergoing recertification by Splunk.  Until Splunkbase Marketplace is updated, we highly recommend downloading the Splunk files from these links:  

    Technology Add-on for Trustar
    TruSTAR App for Splunk
    1. Technology Add-on: https://splunkbase.splunk.com/app/3679/
    2. TruSTAR App: https://splunkbase.splunk.com/app/3678/

    After successfully downloading both Bundles, follow these steps:

    1. Select the "Gearwheel" icon in the Apps Sidebar on left side of page.  This will take you to a page that should look like this:

    2. Click on Install app from file button in upper right area of the "Apps" pane. 
    3. Upload the Technology Add-on splunk file.
    4. Repeat step 2 and upload the TruSTAR App file.
    5. After successfully uploading the two files scroll down the App Configuration section of this page and follow that section's instructions.

    Installation on Standalone Splunk Deployment

    In a single server deployment, single instance of Splunk Enterprise works as data collection node, indexer and search head. In such scenarios, install both TA-trustar and TruSTAR applications on this node. Complete the setup of TA-trustar for starting data collection.   

    Installation on Distributed Splunk Deployment

    In a distributed deployment, Splunk Enterprise is installed on at least two instances.  One node works as search head and other node works as indexer and data collection node. The TruSTAR Application only needs to be installed on the search head node. The TA-TruSTAR addon needs to be installed on all indexer and data collections nodes.

    In a distributed environment, please note following points: 
    • If you have a separate data collection node, please ensure it’s running the full Splunk Enterprise version.
    Complete the setup of the TA-trustar on data collection node(s) only. You do not need to do a setup on search head node.

      Installation on Splunk Cloud

      In Splunk Cloud, the data indexing will take place in cloud instance. The data collection can take place in on premise Splunk instance that will work as heavy forwarder.

      Installation from Command Prompt

      To install from the command window, go to $SPLUNK_HOME/bin folder and execute following command:

      ./splunk install app TA-trustar.spl
                ./splunk install app Trustar.spl

      App Configuration

      TA-trustar must be configured first.

      Config process for TA-trustar is as follows:

      • Log in to your Splunk instance (If using distributed Splunk the data collection node).
      • Click on TruSTAR app from left bar.
      • Go to Settings->Data inputs.
      • On the "Trustar Configuration" line, Select "+ Add new".
      • Fill in the configuration details (see Table below for more details)

      • Select enable data collection to start ingestion of data from enclaves in TruSTAR
      No indicators or reports will be ingested into Splunk if enable data collection is unselected
      • List the IDs of the enclaves you want to ingest data from in the Enclave IDs field separated by commas for multiple IDs
        • You can find the enclave ids in the TruSTAR platform in your profile under settings

      • Click on More Settings if you want to customize index name and polling frequency. Leave it at default values if unsure.

      Input Parameter



      REST Input Name


      This is a name you assign to the input.  It can be whatever you want it to, but must be unique to each Modular Input.

      URL to Connect


      Use https://station.trustar.co This is TruSTAR station URL from where data get collected by executing API calls.

      API Authentication Key


      Authentication Key to connect to TruSTAR station. It will be used for making API calls. Available under Settings-> API in your TruSTAR Station account.

      Text entered into this box will appear in clear text while you fill out the Trustar Configurations settings box, but after saving the REST input's configurations Splunk encrypts it for long-term storage on the hard-drive in Splunk's /storage/password entity.

      On edit of modular input this field will be blank.

      API Secret


      Secret Key to connect to TruSTAR station. It will be used for making API calls. Available under Settings-> API on TruSTAR Station.

      It will appear in clear text in the text box while you fill out the Trustar Configurations settings box, but after saving the REST input's configurations Splunk encrypts it for long-term storage on the hard-drive in Splunk's /storage/password entity.

      On edit of modular input this field will be blank.

      Date (UTC in "YYYY-MM-DD hh:mm:ss" format)


      This app will fetch all reports from the enclaves you specify in the "Enclave IDs" field that are timestamped between the date you specify in this field and present. For optimal performance set this date to be no earlier than 7 days (168 hrs) before present date/time.

      SSL Certificate Path


      File path to SSL Certificate that will be used when this app makes API requests to TruSTAR Station. No need to give path if you use a CA-signed certificate.

      Enable Data CollectionYes Enabling data collection will start the polling of data from the TruSTAR enclaves specified.
      Enclave IDsYesEnter Enclave ID's to pull data from. If you want to pull data from multiple ID's, separate each ID with a comma

      HTTPS Proxy Address


      Proxy address to use for communication with the TruSTAR station, e.g. or https://user:pass@



      Interval in seconds. All API calls will get executed on this TruSTAR station at specified interval.

      Set sourcetype


      "sourcetype" is a standard Splunk field.  This setting allows you to select a "sourcetype" from a list of options, write one in manually, or allow this app to set the value for this field automatically.  Default behavior is to allow this app to set this value automatically, which is done in this application's code. 



      This parameter allows user to decide which index to be used for TruSTAR data. User needs to ensure that index is already present in the Splunk environment.  If no value is provided, by default it will use “main” index.

      Change Macro Definition

      If you did not make any changes for destination index in App Configuration then skip this section.

      If you change the destination index for source from “default” you will need to follow these steps.

      1. Open the Search Head UI.
      2. Go to Settings-> Advanced search-> Search macros.
      3. Select "TruStar App for Splunk" in App Context dropdown.
      4. Modify `trustar_get_index` macro definition with index=”<new index name>”.

      NOTE: There is no need to modify `trustar_get_index_and_sourcetype` macro.

      Using the App


      TruSTAR app consists of following dashboards.The dashboard shows count of Reports and Indicators Imported and Matched in All time and Last 4 hours.

      Below are details of the panels in this dashboard:

      1. Matched Data :This panel displays 4 single values of Matched data.
        1. Count of Matched Reports in Last 4 hours and trend of count with previous 4 hours.
        2. Count of Matched Indicators in Last 4 hours and trend of count with previous 4 hours.
        3. Count of Matched Reports in All time.
        4. Count of Matched Indicators in All time.
      2. Imported Data: This panel displays 4 single values of Imported data.
        1. Count of Imported Reports in Last 4 hours and trend of count with previous 4 hours.
        2. Count of Imported Indicators in Last 4 hours and trend of count with previous 4 hours.
        3. Count of Imported Reports in All time.
        4. Count of Imported Indicators in All time.
      Reports Tab

        This screen displays Report details like name, creation time, distribution, last scan and result count of matched for specific report.

        Report Details

        User can see this dashboard on drill down of Report Name from TruSTAR Reports dashboard. It displays all details of specific report like name, total indicators count, report body and table of all related indicators. User can investigate the indicator in raw events and also perform actions like marking an IOC as false positive so that it is not considered it in future matches.

        Indicators Tab

        This screen displays basic details of indicators like time of download, value, count of co-related reports, status, count of matched reports. Also user can perform actions like investigate IOC in raw events and mark an IOC as false positive so that it not considered in future matches.

        Upgrade App

        User can upgrade TruSTAR app and TA through CLI or UI.

        Upgrade through CLI:
        • Download tar of App or TA from Splunk base
        • Stop Splunk server
        • $SPLUNK_HOME/bin/splunk 
        • Install app APP_NAME.tgz –update 1 –auth username:password
        • Start Splunk Server
        Upgrade through UI:
        • Click on Manage Apps
        • Find Trustar app And TA entry from list
        • Click on link of newer version under version column on related entry
        Manual Upgrade:
        • Click on Manage Apps
        • Click on Install App from file
        • Locate Trustar TA file from local drive
        • Select to Upgrade app
        • Click Upload 

        App Architecture

        This section describes the overall App architecture.


        Access Path: Settings → Indexes

        TruSTAR App for Splunk can populate the panels based on the index defined while indexing data into the Splunk. By default data will get populated under “main” index until it’s changed while configuring data input.

        Splunk recommends using Splunk’s default index (that is “main” index) for simplicity and reusability.

        Refer below URL to create custom index.

        Reference URL: http://docs.splunk.com/Documentation/Splunk/6.5.0/Indexer/Setupmultipleindexes

        Note: In case changes are done in Index name, Please follow steps mentioned under macro section.


        Access Path:  Settings  → Source Types

        Source-Type are default Splunk fields to categorize and filter the indexed data to narrow down the search results. Since TruSTAR app collects two different types of data from Trustar Station, it has been indexed in below source types.

        Below is the table, which shows alerts and activities data are separated.




        This contains all the reports sent from TruSTAR station to Splunk using rest API call.


        This contains all the indicators sent from TruSTAR station to Splunk using rest API call.


        Access Path: Settings  → Advanced Search  → Search Macros

        All the visualizations in TruSTAR App for Splunk are referred by a “trustar_get_index” macro, which helps App to identify the Index in which data is getting indexed.

        By default, it’s referred to “main” index and in case user is changing the Index value then same changes has to be done in the macro.

        TruSTAR App for Splunk has another macro called  “trustar_get_index_and_sourcetype”, which helps App to identify the index and sourcetype in which indicators of TruSTAR app should be matched.

        By default, it’s referred to  index=* and in case user has some specific index and source type to consider to find matches,then it should be updated in the macro.


        Known Limitations

        • There is a known limitation in Splunk where TruSTAR App Icon doesn’t get updated without restarting Splunk. Hence, it’s recommended to restart post installation of the TruSTAR App to load the App Icon.
        • There is a known limitation in Splunk Modular input that in case of failure it doesn’t show proper raised error message, but shows generic failure message on UI in windows machine.


        After completing installation of application, all the dashboards will start populating data.

        In case you don’t see data in the dashboards, use following steps for troubleshooting:
        1. Confirm that you have modified macro `trustar_get_index` with indexes selected while creating Modular input.
          1. To verify this go to Settings->Data inputs->TruSTAR Configuration.
          2. Check index field for each entry in list view.
          3. If index=default, then splunk will take default index, which is ‘main’
          4. Now go to Settings-> Advanced search -> Search macros
          5. Open entry with name ` trustar_get_index ` and verify definition. It must have definition on index verified in 2nd step
          6. For example, If all modular input entries have index=default in 2nd step, then update macro definition with index=main and save.
          7. If any specific index has been set in modular input then add it in macro definition.
            1. Check following query to verify data is getting indexed into Splunk

              search `trustar_get_index` | stats count by sourcetype
            2. Verify that SPLUNK_HOME is pointing to correct Splunk directory.
            3. Look for errors in trustar_modinput.log file.  This file will be available under $SPLUNK_HOME/var/log/trustar folder.
        2. In case Authentication Key or Secret key for your accounts is  modified after setup in Modular Input.

        User can update it from Modular Input UI

        • Go to Settings-> Data Inputs -> TruSTAR Configuration
        • Open specific TruSTAR station entry, and enter new Authentication key and Secret Key in both fields.
        • On click of save, modified key will get updated for that specific TruSTAR Station.
        Please check out our comprehensive Splunk FAQ's here.
        For other questions reach out to support@trustar.co for any additional questions.

        How Did We Do?