Splunk FAQ - OLD

Updated 3 weeks ago by Elvis Hovor

Q. How do I install TruSTAR in a clustered environment?

If you install the TruSTAR add-on in the master cluster node, it will not automatically get installed on cluster peers. You must perform the following steps on Cluster Master:

  1. Copy the extracted folder for TA_trustar in $SPLUNK_HOME/etc/master-apps
  2. Verify stanza of index in file $SPLUNK_HOME/etc/master-apps/_cluster/local/indexes.conf, (it should be the same name as selected in modular input at heavy forwarder)  
Below is the example stanza for index=trustar. Here repFactor=auto is critical as it will replicate this index to all peers.   

[trustar]

coldPath = $SPLUNK_DB/trustar/colddb

enableDataIntegrityControl = 0

enableTsidxReduction = 0

homePath = $SPLUNK_DB/trustar/db

maxTotalDataSizeMB = 512000

thawedPath = $SPLUNK_DB/trustar/thaweddb

repFactor = auto

Q. Do I need to install the TruSTAR app on all search heads?

Yes  you need to install the TruSTAR app on all search heads. However, users do not have to perform this step manually on all search heads. Users need to follow steps below on Search Head Deployer:

  1. Copy the extracted folder of TA_trustar and Trustar App in $SPLUNK_HOME/etc/shcluster/apps.
  2. If user has selected index other than default in modular input configuration at heavy forwarder do the following (else skip to next step) :  Modify macro definition of "trustar_get_index" in file $SPLUNK_HOME/etc/shcluster/apps/Trustar/default/macros.conf
For example, if user has selected index with name "trustar" in modular input at heavy forwarder, then macro definition here should be index=trustar.
  1. Push the app on search head cluster using below command

$SPLUNK_HOME/bin/splunk apply shcluster-bundle -target <SH_URI>:<management_port> -auth <username>:<password>

Note: The target should be the node selected as the captain. You can find the captain by running a cluster status command

Q. Am I able to configure custom fields for matches? For example, just match on TruSTARs IP's or urls not everything?

This feature is currently not possible with TruSTAR's Splunk V1 app, however users can run custom search queries to . The new Splunk refresh, TruSTAR Splunk App V2 will have be more configurable and users will have ability to select indexes for the app to search against.

Splunk V2 FAQs

Q. How will a new install affect old data already stored?

This does not affect the old data that is already stored. You can keep the old index along with the data. However, you do have to select a newly created index in this new setup, while creating Modular Input. So all new data will get collected in new index.

The app will show only data collected in new index.

Users must update macro “trustar_get_index” with index="

to get only new data considered in dashboard for the latest APP.
  1. What's the expected search load?This is difficult to quantify on an individual basis without testing (not done in POV). It can all be tailored / customized by the user The end user has access to all the levers and buttons they need to pull/push to manage this load. The customer can also optimize the queries if they are well-versed with the Splunk query language and update it as they see appropriate.
  2. What type of data does this pull in?The Splunk app imports two core data types: Technical Indicator of Compromise objects (e.g. IP addresses, email addresses, URLs, file hashes, file names etc.) and Report objects (which have human readable context) from our platform.
  3. What does the polling interval affect? If we do it less frequently or more frequently what is the cost-benefit?The larger the polling interval, the less-real-time the Splunk instance will be from the TruSTAR enclaves which the customer has elected to import from our platform. Smaller polling interval will keep the data more real time but will consume more API calls and increase the processing load on the Splunk instance. Our best practice recommendation is to keep our default polling intervals. Please note that keeping the data sync as close to real time may only make sense in very specific use cases and we work with our customers to fine tune the polling interval based on their use case.
  4. What would you expect the daily ingest to be in MG/GB?It depends on the number of enclaves that data is being pulled from. One of our customers had a Splunk instance running for weeks in the cloud, importing from ~15+ enclaves, and the index’s disk size is less than 100MB. In most normal scenarios the quantity of data ingested is likely going to be in the magnitude of single digit MB’s per day.
  5. How many scheduled searches should we expect to be run? How does that work for the TA and the App?By default our Splunk App has has 30 scheduled searches that run 1-4 times/hr. Our best practice recommendation is to search TruSTAR data against the last 24-72 hours of log data, which can be fine tuned based on volume of the log data. Users can customize the frequency and timing of these searches. Some of the default searches can also be disabled based on the use case. For example: users may not care much about or see some of our IOC types as threats they monitor for (ex: bitcoin addresses, reg keys, CVEs), so the searches that scan the customer’s log data for IOCs of that type could be deactivated altogether, or maybe set to run once / day or once / week. This customization is possible and it does require customer having advanced Splunk expertise. We can work with our customers to fine tune these operations. 
  6. How does the ES App work differently?Our ES app works in tandem with our TruSTAR app. Notable events in ES are created when indicators from TruSTAR platform are matched against any logs on Splunk.


How Did We Do?