Splunk® InfoSec App

Installation Guide

Access and install additional apps and add-ons to use the InfoSec app for Splunk

You must install the following supporting Splunk apps and add-ons from Splunkbase before you can use the InfoSec app for Splunk:

Optionally, you can also install the following three apps and add-ons:

The Splunk Security Essentials (SSE) app includes hundreds of additional security searches that you can integrate into the Splunk InfoSec App. The SSE app also includes comprehensive guided data on-boarding examples that can help identify the data sources required to enable the security controls and assist in the configuration of the underlying data source.

The third-party Alert Manager app and Alert Manager add-on provide an incident management capability with simple workflows to support the management of triggered alerts from within the Splunk InfoSec app.

For more information on installing and configuring the SSE app, see the Splunk Security Essentials app documentation. For more information on installing and configuring the Alert Manager app, see the Alert Manager documentation.

You can install any of these apps within Splunk Cloud except the Splunk Common Information Model (CIM) app.

Access the additional apps or add-ons

Follow these steps to access the additional app or add-ons in your Splunk Cloud or Splunk Enterprise environment:

Steps

  1. Log into your Splunk environment with an account that has administrative privileges.
  2. In Splunk Web, select the App menu in the menu bar.
  3. Click Find More Apps.
  4. Type the name of the app or add-on in the search bar.
    The app is listed as one of the available apps for installation.

Install the additional app or add-on

Follow these steps to install the additional app or add-on in your Splunk Cloud or Splunk Enterprise environment:

  1. In your Splunk platform instance, click Install next to the additional app or add-on name.
  2. Log in with the credentials that you use to log in to the Splunk Support Portal on www.splunk.com website or Splunkbase.
  3. Confirm that the additional app or add-on is installed by selecting the app or add-on from the app menu.

You are ready to configure the InfoSec app. Proceed to confirm the health of the Splunk Infosec app. See Confirm the health of the Splunk InfoSec app.

Troubleshooting display issues on dashboards due to Sankey and Punchcard apps

Issue

If you are installing the Splunk app for InfoSec for the first time and you are on a Splunk on-premise or Splunk Cloud (Classic or Victoria experience), you might see display issues with some dashboards. For example, the default charts on the Security Posture dashboard might display an error indicating that the Punchcard application is not installed.

Cause

Dashboard visualizations for the Splunk app for Infosec depend on the Sankey and Punchcard apps. However, the Sankey and Punchcard visualization apps are no longer supported and do not appear on Splunkbase. These apps are not displayed in the Splunk UI for Managing Apps and therefore, you can't automatically install the apps.

Solution

You can manually install the Sankey and Punchcard visualization apps.

This workaround exists only for Splunk on-prem or Splunk Cloud (Classic) experience.

Install Sankey and Punchcard apps manually

Follow these steps to install the Sankey and Punchcard apps manually:

Use this procedure if you are on Splunk on-prem or Splunk Cloud (Classic) experience. If you are on Splunk Cloud (Victoria) experience, you won't be able to install these visualization apps due to validation issues.


  1. Download the Sankey and Punchcard apps from the Splunkbase archive. Use the following links on Splunkbase to download the Sankey and Punchcard apps:
  2. Save the downloaded .spl or .tgz file.
  3. Login to Splunk Web and select the Apps gear icon.
  4. Go to Apps and then select Manage apps.
  5. Select Install app from the file.
  6. Select Upload app.
  7. Enter your splunk.com account credentials such as username and password.
    Splunk Cloud Platform uses these credentials to authenticate using AppInspect.
  8. Select Agree and Login to confirm that you accept the specified license conditions.
  9. Select your app package and then select Upload. This displays the installation success dialog and the app appears in the Uploaded Apps table.
  10. Restart your Splunk instance.
  11. Go to Manage Apps in Splunk Web and check if the app is listed.
    This verifies that the installation was completed successfully.
Last modified on 14 March, 2025
Troubleshoot access to the InfoSec app for Splunk   Collect data from data sources to use the InfoSec app for Splunk

This documentation applies to the following versions of Splunk® InfoSec App: 1.6.4, 1.7.0

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters