Skip to main content
Code42 Support

Install and manage the Code42 app for Splunk

Available in:

StandardPremiumEnterprise
Small Business
Applies to:

Overview

This tutorial explains how to install, manage, and uninstall the Code42 app for Splunk. Splunk is a solution for data analytics monitoring and visualization. The Code42 app for Splunk adds Code42-specific dashboards to Splunk Enterprise or Spunk Cloud.

If instead you want to integrate Code42 APIs directly with your Splunk Enterprise, see Code42 API integration with Splunk Enterprise.

For a description of dashboards in the Code42 app for Splunk, see Code42 app for Splunk reference.

Considerations

  • The Code42 app for Splunk version 3.0 has been tested and verified with Code42 version 6.x and later, but can also be used with 5.x and 4.x versions. For information about earlier versions of the app, see Previous versions.
  • To use the Code42 app for Splunk version 3.0, you must have an existing Splunk Enterprise 6.6 or later environment or a Splunk Cloud environment.
  • The device(s) used to run Splunk and the Code42 app for Splunk must have network access to the Code42 server on default port 4285 (HTTPS). Non-secure HTTP access to the Code42 server on port 4280 is not supported by the Code42 app for Splunk.
  • Code42 cannot provide technical support for Splunk. Contact Splunk support for help with Splunk.

Before you begin

Prepare a user account in your Code42 environment for configuring the Code42 app for Splunk. This user is used to authenticate and access data in your Code42 environment.

  • Permissions: The Code42 app for Splunk returns data based on the permission level of the role assigned to this user. For an on-premises authority server, the user should have the SYSADMIN role to provide access to data for your entire Code42 environment. For Code42 cloud environments, the user must have the Customer Cloud Admin role. If your user’s role has more restrictive permissions, we recommend testing the user permissions to confirm that they can access the desired data.
  • Licensing: As a best practice, we recommend creating a user in your Code42 environment that is exclusively used to configure your Code42 app for Splunk. This way, configuration of your Code42 app for Splunk isn’t tied to a particular individual. Users without a Code42 app archive will not consume a license.

Install the Code42 app for Splunk

Available apps

Following are the Code42 apps available on Splunkbase.

App Description
Code42 for Splunk The core Code42 app for Splunk. Provides dashboards displaying information about your Code42 environment.
Input Add-On for Code42 App for Splunk

Provides Splunk inputs for Code42 environment data. 

TA for Code42 App For Splunk (Optional) Technology add-on that fetches additional data about your Code42 environment and indexes it. You can then search the data using Splunk search.

Step 1: Download and install the Code42 app for Splunk

Splunk Enterprise

  1. Download the "Code42 for Splunk" install file from Splunkbase. 
  2. Start Splunk Enterprise.
  3. On your Splunk Enterprise home page, click the Apps button: Manage Apps button
  4. Click Install app from file.
  5. Select the Code42 app for Splunk install file.
  6. Click Upload.
  7. Click Restart Now to restart Splunk Enterprise.
  8. Repeat these steps to download and install the "Input Add-On for Code42 App for Splunk".

Splunk Cloud

  1. Start Splunk Cloud.
  2. On your Splunk home page, click the Apps button: Manage Apps button
  3. Click Browse more apps.
  4. In the Browse More Apps panel, search for "Code42".
  5. Click Install on "Code42 for Splunk".
  6. On the Login dialog, enter your Splunk username and password and click Login and Install.
  7. On the Complete dialog, click Open the App.
  8. Repeat these steps to download and install the "Input Add-On for Code42 App for Splunk".

Step 2: Configure the Code42 app for Splunk

  1. After installing the "Input Add-On for Code42 App for Splunk", on the Install successful dialog, click Set up now.Message - setup required

    The Application Configuration panel appears.
    Application Configuration panel
  2. Click Create New Code42 Input.

  3. Enter connection information for a authority server or Code42 cloud from which you want to receive input:

    1. In the Modular Input Name field, type a name to give this data input.

    2. In the Hostname and port field, enter the full hostname or IP address with the HTTPS port number.
      The default port is 4285. The HTTP protocol (port 4280) is not supported by the Code42 app for Splunk.

    3. In the Username and Password fields, enter the credentials of the Code42 platform user that you want to use to authenticate.
      The username and password are added as a credential on the Credentials tab on the Application Configuration panel.

    4. Leave the Toggle All Data Keys field checked to enable all the available Data Keys

    5. In the Interval(s) field, enter the number for the interval in seconds when to retrieve data from the authority server. The default is 900 (15 minutes).

    6. In the Index field, leave the field empty to have the Code42 app for Splunk use the default main index, or select another Splunk index where you want the Code42 app for Splunk data to reside.

    7. If your Code42 environment uses a proxy server, select it in the Proxy Name field. You must first create a proxy before you can select it here.
      Create New Code42 Input dialog

    8. Click Save changes.

    9. Click Close.

  4. Click Save on the Application Configuration tab.
  5. If you use Splunk Enterprise, stop and start Splunk.

Step 3: Test the Code42 app for Splunk

  1. Start Splunk Enterprise or start Splunk Cloud.
  2. Click the Splunk logo in the upper left corner to access the Splunk home page.
  3. Click the Code42 app for Splunk button:
    Splunk's Code42 button
  4. Explore the data generated by the panels.
    See Code42 app for Splunk reference for an overview of the panels.
Lookups
Because Splunk lookups occur once an hour to gather data from the Code42 environment, after installation, it may take up to two hours before Code42 data is populated in some dashboard panels. Until data is populated, you may see the following error message in a dashboard panel:
Error in 'lookup' command: Lookups: The lookup table '<name>' does not exist or is not available.

Overview dashboard

Manage the Code42 app for Splunk

Create an input

If you have more than one authority server or Code42 cloud instance from which you want to gather data, create a new input that points to each authority server or Code42 cloud account.

  1. From the menu bar in the Code42 app for Splunk, select Administration > Application Configuration.
  2. Click Create New Code42 Input.
  3. Follow the directions in the configuration steps above and enter the new authority server information to the Hostname and port field.

Create a proxy

If you have a proxy server for your authority server, create a proxy configuration so that the Code42 app for Splunk can connect to the authority server through the proxy.

  1. From the menu bar in the Code42 app for Splunk, select Administration > Application Configuration.
  2. Click Create New Proxy.
    The Create New Proxy dialog appears.
  3. In the Proxy name field, type a name to give this proxy.
  4. In the Host field, type the full hostname or IP address of the proxy server.
  5. In the Port field, type the port number of the proxy server.
  6. In the Username and Password fields, enter the credentials of the user authorized to access the proxy server.
    The username and password are added as a credential to the Credentials tab on the Application Configuration panel.
  7. Select Use SSL? if the proxy server uses an SSL certificate.
    Create proxy
  8. Click Save changes.
  9. Click Close.
  10. Click Save on the Application Configuration tab.
  11. If you use Splunk Enterprise, stop and start Splunk.

Create a credential

Every time you create an input or create a proxy, the login username and password are added as a credential to the Credentials tab on the Application Configuration panel. If you need to use a different username and password for login, you can create a new encrypted credential and assign it to an input or proxy.

  1. From the menu bar in the Code42 app for Splunk, select Administration > Application Configuration.
  2. Click Create New Credential.
    The Create New Credential dialog appears.
  3. In the Username and Password fields, depending on your setup, enter the credentials of the admin user authorized to access either the authority server or proxy server.
  4. Leave the Realm field empty and apply the new credential to an input or proxy as described later in this set of steps.
    Create Code42 credential
  5. Click Save changes.
  6. Click Close.
  7. Click the Credentials tab.
    The new credential appears on the tab.
  8. Copy the credential name. It typically appears as "code42_<number>". This is the credential realm ID.
  9. Apply the new credential realm ID to an input or proxy.

To an input

  1. At the bottom of the panel, select the Code42 tab and find an input for which you want to change credentials.
  2. Delete the entry in the Credential Realm field.
  3. Paste the new credential realm ID into the Credential Realm field.
  4. Click the Disabled or Enabled toggle at the top of the input to enable the change.

To a proxy

  1. At the bottom of the panel, select the Proxy Configurations tab and find a proxy for which you want to change credentials.
  2. Delete the entry in the Credential field.
  3. Paste the new credential realm ID into the Credential field.
  1. Click Save on the Application Configuration tab.
  2. If you use Splunk Enterprise, stop and start Splunk.

Troubleshoot the Code42 app for Splunk

Troubleshooting considerations

  • Data may not appear in the panels immediately. Rather, data will update at scheduled intervals. The scheduled intervals are configured to avoid overloading your authority server with requests.
  • If data for a panel is missing, confirm that the Code42 environment user account has the necessary permissions to view that data within your Code42 environment.

Application Health Overview dashboard

For information about the status of the Code42 app for Splunk, see the Application Health Overview dashboard. This dashboard displays information on errors for the Code42 app for Splunk.

Logs within Splunk Enterprise

The Code42 app for Splunk updates log files that contain useful information for troubleshooting, including error messages and security warnings. For Splunk Enterprise installations, the log files are located at:

<path-to-splunk>/var/log/splunk/Code42ForSplunk

The path to your Enterprise Code42 app for Splunk installation varies by operating system. See the Splunk Enterprise documentation for more information about installation and logging.

Support

If you need support for the Code42 app for Splunk, contact our Customer Champions​ for Code42 for Enterprise support.

Our Customer Champions cannot provide technical support for Splunk. Contact Splunk support for help with Splunk.

Splunk Answers

Splunk Answers is a community forum where Splunk users can post questions and get answers about Splunk usage. Go to the following URL to get help with the Code42 app for Splunk:

https://answers.splunk.com/app/questions/2850.html

Upgrade the Code42 app for Splunk

When a new version of the Code42 app for Splunk is released, perform the following steps to upgrade.

Splunk Enterprise

  1. Download the latest version of the Code42 app for Splunk from Splunkbase
  2. From your Splunk Enterprise home page, click the Apps button: Manage Apps button
  3. Click Install app from file.
  4. Select the following check box: Upgrade app. Checking this will overwrite the app if it already exists.
  5. Select the new Code42 app for Splunk install file you downloaded from Splunkbase (Code42ForSplunk-version-build.spl).
  6. Click Upload.
  7. Click Restart Now to restart Splunk Enterprise and complete the installation.
  8. Repeat these steps for the  "Input Add-On for Code42 App for Splunk".

Splunk Cloud

  1. From your Splunk home page, click the Apps button: Manage Apps button
  2. On the Apps panel, browse to the row for the Code42 app for Splunk.
    If there is a later version of the app available, an Update link appears on the row. 
  3. Click Update.

Uninstall the Code42 app for Splunk

Splunk Enterprise

Uninstalling removes existing Code42 data
Part of uninstalling the Code42 app for Splunk involves deleting the cache, which removes all existing Code42 data from Splunk. 

If you have data in Splunk that no longer exists in your Code42 environment, it will be lost. To preserve this information, export the Splunk data before uninstalling the Code42 app for Splunk.
  1. Open a terminal window (Linux or OS X) or command prompt (Windows) on your Splunk Enterprise server.
  2. Run the following command to stop Splunk Enterprise:
    <path-to-splunk>/bin/splunk stop
  3. Remove the app:
    • Run the following command to remove the Code42 app for Splunk:
      <path-to-splunk>/bin/splunk remove app Code42ForSplunk
       
    • Run the following command to remove the "Input Add-On for Code42 App for Splunk" app:
      <path-to-splunk>/bin/splunk remove app IA-Code42ForSplunk 
       
    • Run the following command to remove the "TA for Code42 App For Splunk" app:
      <path-to-splunk>/bin/splunk remove app TA-Code42ForSplunk
  4. Restart Splunk.
    The Code42 app for Splunk no longer appears in the Splunk user interface.

Splunk Cloud

  1. From the Splunk home page, click the Apps button: Manage Apps button
  2. On the Apps panel, browse to the row for the Code42 app for Splunk.
  3. Click the Disable link.

Next steps

For an overview of the Code42 app for Splunk user interface, see Code42 app for Splunk reference.

Release history for the Code42 app for Splunk

Current version

Version 3.0

November 2017

Code42 app for Splunk created by Aplura: www.aplura.com 

Previous versions

Version of Code42 app for Splunk Supporting Code42 environment version
Version 2.2 Code42 app for Splunk Code42 environment version 5.3.x
Version 2.1 Code42 app for Splunk Code42 environment version 5.1.x

Version 1.1 Code42 app for Splunk

Code42 environment versions 4.2.x and 5.0.x

Version 2.2

May 2017

Numerous performance and stability improvements, including:

  • Better error handling.
  • Improvements to logging.
  • More accurate event counts.
  • Optimized event processing, especially for large numbers (10,000+) of events.
  • If a storage server is unavailable, the app now requests events from any other available storage server.
  • Corrects a recent issue which prevented the complete set of security events collected for archives stored in the Code42 cloud from being imported to Splunk. 
Version 2.1.1

May 2016

  • Corrects an issue in which some administrators were unable to view security events in provider storage environments.
Version 2.1

November 2015

  • Support for new features in Code42 server version 5.1, including file content pattern matching, file upload detection and other endpoint monitoring events.
  • Other enhancements for security and stability.
Version 1.1

October 2015

  • Performance and stability improvements.
Version 1.0

August 2015

  • Initial release.