Splunk Search

Community Platform

runZero integrates with Splunk using a dedicated Splunk Addon, compatible with Splunk 7, Splunk 8, and Splunk Cloud. With this add-on, you’ll be able to pull new or updated hosts into a Splunk index, where you’ll be able to analyze, visualize, and monitor them there.

This add-on uses the Splunk API from the runZero Network Discovery platform. It supports syncing assets into Splunk, with multiple inputs supported, global API key management, and optional search filters for each input. For example, you can track new assets as one input, and SMBv1 enabled assets as another input.

To set up this add-on, you’ll need an Export API or Organization API key, which you can generate from your Organization page in the runZero Console.

Get the runZero add-on for Splunk

  1. Log in to Splunk.
  2. Go to Find More Apps.
  3. Search for runZero Network Discovery.
  4. Install the add-on for runZero.
  5. Splunk will prompt you to log in again. After you log back in again, the add-on will be installed. You’ll be able to open the runZero Asset Sync app. Splunk might also prompt you to restart your server.

Asset sync modes

Two asset sync modes are available: New Assets Only and All Updated Assets. You can export asset inventory that contains newly discovered assets or updated assets, since the last poll, in a sync-friendly format for Splunk. You can leverage the same capabilities from the Asset Sync API to pull data in Splunk, such as search filters, fields, and time-based checkpoints.

Once data is pulled into Splunk, you can create Splunk inputs with filters. This allows you to sync specific assets with a certain protocol, discovery date, or open service.