scanner
  • About Scanner
  • When to use it
  • Architecture
  • Getting Started
  • Playground Guide
    • Overview
    • Part 1: Search and Analysis
    • Part 2: Detection Rules
    • Wrapping Up
  • Log Data Sources
    • Overview
    • List
      • AWS
        • AWS Aurora
        • AWS CloudTrail
        • AWS CloudWatch
        • AWS ECS
        • AWS EKS
        • AWS GuardDuty
        • AWS Lambda
        • AWS Route53 Resolver
        • AWS VPC Flow
        • AWS VPC Transit Gateway Flow
        • AWS WAF
      • Cloudflare
        • Audit Logs
        • Firewall Events
        • HTTP Requests
        • Other Datasets
      • Crowdstrike
      • Custom via Fluentd
      • Fastly
      • GitHub
      • Jamf
      • Lacework
      • Osquery
      • OSSEC
      • Sophos
      • Sublime Security
      • Suricata
      • Syslog
      • Teleport
      • Windows Defender
      • Windows Sysmon
      • Zeek
  • Indexing Your Logs in S3
    • Linking AWS Accounts
      • Manual setup
        • AWS CloudShell
      • Infra-as-code
        • AWS CloudFormation
        • Terraform
        • Pulumi
    • Creating S3 Import Rules
      • Configuration - Basic
      • Configuration - Optional Transformations
      • Previewing Imports
      • Regular Expressions in Import Rules
  • Using Scanner
    • Query Syntax
    • Aggregation Functions
      • avg()
      • count()
      • countdistinct()
      • eval()
      • groupbycount()
      • max()
      • min()
      • percentile()
      • rename()
      • stats()
      • sum()
      • table()
      • var()
      • where()
    • Detection Rules
      • Event Sinks
      • Out-of-the-Box Detection Rules
      • MITRE Tags
    • API
      • Ad hoc queries
      • Detection Rules
      • Event Sinks
      • Validating YAML files
    • Built-in Indexes
      • _audit
    • Role-Based Access Control (RBAC)
    • Beta features
      • Scanner for Splunk
        • Getting Started
        • Using Scanner Search Commands
        • Dashboards
        • Creating Custom Content in Splunk Security Essentials
      • Scanner for Grafana
        • Getting Started
      • Jupyter Notebooks
        • Getting Started with Jupyter Notebooks
        • Scanner Notebooks on Github
      • Detection Rules as Code
        • Getting Started
        • Writing Detection Rules
        • CLI
        • Managing Synced Detection Rules
      • Detection Alert Formatting
        • Customizing PagerDuty Alerts
      • Scalar Functions and Operators
        • coalesce()
        • if()
        • arr.join()
        • math.abs()
        • math.round()
        • str.uriencode()
  • Single Sign On (SSO)
    • Overview
    • Okta
      • Okta Workforce
      • SAML
  • Self-Hosted Scanner
    • Overview
Powered by GitBook
On this page
  • 1. Ensure that you have logs in an S3 bucket
  • 2. Configure Scanner to index these logs in your S3 bucket
  • 3. Install the "Scanner for Splunk" app into your Splunk instance.
  • 4. Configure the "Scanner for Splunk" app
  • 4. Execute scanner and scannertable search commands from within Splunk

Was this helpful?

  1. Using Scanner
  2. Beta features
  3. Scanner for Splunk

Getting Started

PreviousScanner for SplunkNextUsing Scanner Search Commands

Last updated 11 months ago

Was this helpful?

Here is how to get started with Scanner for Splunk, allowing you to index your logs in S3 at low cost and search them at high speed directly from within Splunk.

1. Ensure that you have logs in an S3 bucket

Using tools like Vector.dev, Cribl, or other log pipeline tools, you can store your logs in S3 instead of sending them directly to Splunk.

Many tools, like Crowdstrike Falcon Data Replicator and the Github Audit system can write logs directly to your S3 buckets.

Once you have logs in your S3 buckets, you can start to index them with Scanner. We support JSON, CSV, Parquet, and plaintext log files. No need to transform them first. Just point Scanner at your raw log files.

2. Configure Scanner to index these logs in your S3 bucket

Following the guide, configure Scanner to index these logs in S3. This allows search queries to execute at high speed even as data volumes reach hundreds of terabytes or petabytes.

3. Install the "Scanner for Splunk" app into your Splunk instance.

Option 1: Install directly from within Splunk

  1. In your Splunk instance, navigate to Apps > Manage apps.

  2. Click Browse more apps.

  3. Search for Scanner for Splunk.

  4. Click on the Install button.

Option 2: Download from Splunkbase and upload the file to your Splunk instance

  1. Visit the , and download the app. It will be downloaded to your desktop as a .tgz file.

  2. In you Splunk instance, navigate to Apps > Manage apps.

  3. Click Install app from file.

  4. Choose the .tgz file you downloaded earlier.

4. Configure the "Scanner for Splunk" app

After you install the Scanner for Splunk app, you will be prompted to set up the app for the first time. If you proceed, you will be directed to the configuration page.

If you need to view the configuration page again later, simply click on Scanner for Splunk in the app sidebar. Also, you can navigate to Apps > Manage apps, find the Scanner for Splunk row, and click the Set up link there.

Within the Scanner for Splunk configuration page in Splunk, add the API URL of your Scanner instance, and add API keys. You can find your API URL and API keys by visiting Scanner and navigating to Settings > API.

Each API key is assigned to a Splunk role. Within Scanner, you can configure the RBAC permissions of API keys, giving them varying permissions to indexes and detection rules in Scanner.

When a user runs a Scanner command, it will run with the combined permissions of all of the API keys of the user's roles.

API keys are stored in Splunk's storage passwords feature, as required by Splunk Cloud. As a result, each Splunk role must have the list_storage_passwords capability. Otherwise, the role will not be able to view the API keys stored in Splunk's storage passwords feature.

4. Execute scanner and scannertable search commands from within Splunk

Start executing search queries against your high-volume logs in S3 by using the scanner and scannertable custom search commands. These commands are available system-wide.

The commands take a parameter q, which must be a query written in Scanner's query language.

The query is executed against Scanner's . By default, the API returns the most recent 1000 results in descending timestamp order.

Follow along for more information about running in Splunk.

S3 integration
Scanner for Splunk page in Splunkbase
ad hoc queries API
Scanner search commands
Set the API URL and assign API Keys to roles