The Splunk integration provides DivvyCloud the ability to send notification messages to your Splunk indexes, and is compatible with all DivvyCloud resources. As an example, you can send high priority security alerts when noncompliant Security Group rules are provisioned, such as SSH open to the world.
1. Get Access Points for Your Splunk Instance
a. Access your Splunk instance.
b. Note the name of your Splunk instance. In the example below, the instance name is 'splunk.divvycloud.net'.
c. Note also your username and password for that instance.
2. Update DivvyCloud
a. Access your DivvyCloud instance; navigate to the Integrations page (under Administration on the navigation menu).
b. Select Edit on the Splunk card.
c. Enter your Splunk credentials:
1) The instance URL (from 1b.)
2) Your username
3) Your password
4) Your port - The Port specification refers to the Management Port of your Splunk instance. The default value is 8089.
5) The protocol (or scheme) - The HTTPS Scheme specification refers to the protocol used to communicate with your Splunk instance. HTTPS/SSL is enabled by default in Splunk, but verify this is the case with your own Splunk instance.
d. Save your credentials. You should receive a message (in green), confirming you have successfully saved the settings.
4. Improve Your Messages with Jinja2 Templating
Once your setup is complete, you can improve your messages with jinja2 templating. See Jinja2 for details.
After successfully setting up Splunk, you can now use the DivvyCloud Splunk action within your Bot configurations. In the example shown below, you can specify the Splunk index where you’d like the events to go, as well as the message sent for each event.
If the index of your choosing isn’t on the server, one will be created for you and all the events will go to that index. For more information on creating an index for Splunk, click here.
Once you’ve run your bot with the Splunk action, go to your Splunk Instance window and view your indexes. You can now see all the noncompliant resources that DivvyCloud found, and see they are logged as events in that Splunk index.