Note: This release of the Canary Splunk Add-on and App can be obtained as per step 2 below.

Any unexpected behaviour or issues can be reported to our support team at support@canary.tools.

Your Canary Console can easily integrate with Splunk. In this article, we'll walk you through installing the integration.

Follow the steps below to install both the App and the Technology Add-on (TA). As a pre-requisite, you'll need an API key and your Console's hostname.

Optional: If you would like to adjust the default index, click here to jump to the steps required.

Where do I install the Add-on and App?:

The Add-on is independent from the App and is responsible for the logic as well as data collection from your Console. This is generally installed on your heavy forwarder with internet access (direct or via a proxy server), where it will collect and forward data to your indexer tier.

The app is used for monitoring and provides a dashboard built from search macro's. The app is dependant on the add-on and both will need to be installed on your search head tier.

Note: Splunk 9.2 and higher are required for the new Canary integration.

Step 1: Log in to your Splunk console

Head over to the "Find More Apps" menu.

Step 2: Installing the Canary Add-on and App

Search for the Thinkst Canary App and Thinkst Canary Add-on.

Install both via the links provided.

Step 3: Configuring the Add-on

Once installed, we can head over to the Add-on configuration.

Here we can configure the add-on to fetch data from your Console.

Select the Configuration tab, then the Add button.

A window will appear where you need to enter the details of your Canary Console.

Account Name: Enter an identifier for your Console which we will later use to reference the connection.

Console Name: Enter your Console's domain hash.

API Key: Insert your Console's API key.

Note: Your Console's domain hash and API key can be found in your Console's global settings. Further reading on where to locate the details can be found here.

Once complete click the "Add" button.

Step 4: Enabling data inputs

Head over to the Inputs tab, here we'll enable the inputs and edit each one to make use of the Console connection.

Select each input and edit the Index if necessary, then select the account name that we created previously.

Note: Remember to do this for each data input to ensure you are collecting all data.

Once complete enable each input to start collecting data.

Step 5: Configuration for incidents after ingestion

By default, when incident data is ingested, the incident will remain unacknowledged at your console. You can change this setting to Acknowledge incidents at your Console or Delete incidents from your Console.

These settings are useful in keeping your Console clean, especially if you receive a lot of incidents and don't visit the Console often. Select Acknowledge incidents at your Console if you would want to keep the incidents save on the console (under acknowledged incidents) otherwise select Delete incidents from your Console.

You can change this setting when setting up the input for Incidents. Simply select the preferred setting from the After ingestion dropdown.

Step 6: Configuring the App

Next it's time to configure the app, so head over to the App configuration section again.

Under configuration, you'll need to enter your Console settings again.

Console Name: Enter your Console's domain hash.

API Key: Insert your Console's API key.

Once complete, click the "Save Configuration" button.

Step 7: Viewing Data

To start browsing data, select the Apps drop-down menu, then select the Thinkst Canary App to view the dashboard.

Note: It may take some time to populate data into the dashboard, and perform the initial sync. If you don't have any data after a couple of hours, contact our support team at support@canary.tools for assistance.