Splunk FAQ's

Updated 5 months ago by Elvis Hovor

1. Do I need to configure the TruSTAR configuration for the TruSTAR add-on or the main TruSTAR app? 

    The configuration is for the TruSTAR Add-on - this will start pulling data from our API and then index it in Splunk.

    2. Will our technology add-on work with a Universal Forwarder?

    Our Technology Add-on requires a heavy forwarder if you are deploying in a cluster setup. The Universal Forwarder does not come bundled with Python or a user interface, both of which are required to setup our Technology Add-on. We need Python for Splunk to connect to our REST API and do some pre-processing on the response. Universal Forwarders do not have this capability to connect to a REST API and process data before its indexed.

    Splunk documentation for upgrading to a Heavy Forwarder in case that's of interest: https://docs.splunk.com/Documentation/Forwarder/7.0.0/Forwarder/Upgradeauniversalforwardertoaheavyforwarder

    3. Since we have clustered environment, I installed the TruSTAR add-on on master cluster node but it didn’t get installed on cluster peers.

    So, do i need to install it manually in cluster node’s $Splunk_Home/etc/master-apps and then apply the bundle? Or, do i need to install it manually on every cluster indexer?

    The TruSTAR Add-on won't get installed automatically on cluster peers. User has to perform the following steps on Cluster Master:

    1. Copy the extracted folder for TA_trustar in $SPLUNK_HOME/etc/master-apps
    2. Verify stanza of index in file $SPLUNK_HOME/etc/master-apps/_cluster/local/indexes.conf, (it should be the same name as selected in modular input at heavy forwarder)  
    Below is the example stanza for index=trustar. Here repFactor=auto is critical as it will replicate this index to all peers.   


    coldPath = $SPLUNK_DB/trustar/colddb

    enableDataIntegrityControl = 0

    enableTsidxReduction = 0

    homePath = $SPLUNK_DB/trustar/db

    maxTotalDataSizeMB = 512000

    thawedPath = $SPLUNK_DB/trustar/thaweddb

    repFactor = auto

    4. Do i need to install the TruSTAR app on all search heads?

    Yes  you need to install the TruSTAR app on all search heads. However, users do not have to perform this step manually on all search heads. Users need to follow steps below on Search Head Deployer:

    1. Copy the extracted folder of TA_trustar and Trustar App in $SPLUNK_HOME/etc/shcluster/apps.
    2. If user has selected index other than default in modular input configuration at heavy forwarder do the following (else skip to next step) :  Modify macro definition of "trustar_get_index" in file $SPLUNK_HOME/etc/shcluster/apps/Trustar/default/macros.conf
    For example, if user has selected index with name "trustar" in modular input at heavy forwarder, then macro definition here should be index=trustar.
    1. Push the app on search head cluster using below command

    $SPLUNK_HOME/bin/splunk apply shcluster-bundle -target <SH_URI>:<management_port> -auth <username>:<password>

    Note: The target should be the node selected as the captain. You can find the captain by running a cluster status command

    5. Am I able to configure custom fields for matches? For example, just match on TruSTARs IP's or urls not everything?

    This feature is currently not possible with TruSTAR's Splunk V1 app, however users can run custom search queries to . The new Splunk refresh, TruSTAR Splunk App V2 will have be more configurable and users will have ability to select indexes for the app to search against.

    6. Does this app store data into Splunk, i.e. will it consume license and storage?

    The TruSTAR app will consume storage - this is standard for threat intelligence applications that let you match intel against your local splunk instance. The TruSTAR platform differentiates from the competition by focusing on high value IOCs that have been submitted by other analysts. This means users will not be receiving large volumes of data.

    Each TruSTAR report is approximately 10KB (could be smaller or larger based on the amount of context in the report but should not be significantly different).
    A daily download of IOC's should be around 250-500KB (depending on how much data is available in your enclave and the community).

      7. How do I find out if TruSTAR app search is consuming a lot of Splunk memory?

      This Splunk knowledge base document has information on how to identify your top memory consuming searches.  http://docs.splunk.com/Documentation/Splunk/7.0.0/Troubleshooting/Troubleshootmemoryusage

      8. The “export PDF” function on the TruSTAR app on Splunk doesn’t appear to work. How can I export a report?

      The Splunk application does not allow the full download of a PDF in the format we have on the app. As a workaround please use your browser to save the report, this will guarantee that the full report is downloaded with a similar appearance.

      9. I receive authentication error "Authentication Failed ! Please verify URL, API key, and Secret Key of TruSTAR to Connect." when configuring TruSTAR App.

      1. Check to make sure all your credentials are entered correctly. 
      2. Verify that you have write and read access for the enclave you have selected. 
      3. Check to see if your firewall is blocking traffic from TruSTAR.

      10. If i have Splunk ES can i incorporate data from the TRuSTAR app into ES ?   

      Currently the TruSTAR app does not have a native integration with Splunk ES. Version 2 of the TruSTAR app will have this capability. 

      Splunk V2 FAQs

      1. A user has an older version of the TruSTAR Splunk app. Do they need to do a clean install of the new v2 app?
        Yes to get the full functionality of the new V2 app users need to perform a clean install. 
      2. How do i perform a clean install?
        Steps to Install New TA and APP:
        Delete old app and add-on from backend. Go to $SPLUNK_HOME/etc/apps/ and remove TA-trustar and Trustar
        Restart Splunk.
        Install latest builds of both TA and APP, either from UI or from backend.
        Install from UI: Go to Apps -> Manage Apps, click on button "Install App from file", select latest build of TA and install.
        Repeat same steps for the main APP.
        Restart Splunk
      3. Install from backend:
        Copy both the builds under $SPLUNK_HOME/etc/apps/ and extract both the builds.
        Restart Splunk
        Note: After successful installation, follow section for configuration of TA from the TruSTAR knowledge base. Create a new index and assign it in Modular Input and also update macro as mentioned in documentation.
      4. How will this affect the old data already stored? Will that need to be deleted?
        This does not affect the old data that is already stored. They can keep the old index along with the data. However user has to select a newly created index in this new setup, while creating Modular Input. So all new data will get collected in new index.

        The app will show only data collected in new index.

        Users must update macro “trustar_get_index” with index=" to get only new data considered in dashboard for the latest APP.

      How Did We Do?