We are delighted to share our new EIC Delivery Methodology for efficiently managing Saviynt Implementations and delivering quick time to value. CLICK HERE.

Splunk TA Install with Default Input

udiptaroy
New Contributor
New Contributor

We are installing the Saviynt TA to our client's Splunk Cloud instance. The Splunk admin team wanted to check if  the inputs can be disabled within the default inputs.conf. The reason for this is if it were to be installed with those inputs enabled, it could disrupt the input on the heavy forwarder.

5 REPLIES 5

DixshantValecha
Saviynt Employee
Saviynt Employee

I appreciate you reaching out to the Saviynt forums.

Refer to the following documentation link for a detailed explanation of the integration between Saviynt and Splunk

https://docs.saviyntcloud.com/bundle/Splunk-Guide/page/Content/Understanding-the-Integration-between... 

udiptaroy
New Contributor
New Contributor

Hi DixshantValecha,

Thanks DixshantValecha for the reply. We have the integration but the inputs cannot be default as the inputs enabled, it could disrupt the input on the heavy forwarder.

Rishi
Saviynt Employee
Saviynt Employee

The steps defined in Splunk addon (Savint TA) document is applicable to onprem Splunk Enterprise implementation. This addon was developed by the Saviynt community and was verified by Saviynt, however this addon is not a product out of the box offering - you can review the supported version and other details at the start of the splunk integration guide  https://docs.saviyntcloud.com/bundle/Splunk-Guide/page/Content/About-this-Guide.htm.


For SIEM integration, Saviynt provides a solution by exposing the APIs to transfer the application audit logs. The customer can invoke the API from the respective SIEM solution (including splunk) and collect the audit logs. Refer the following document on solution design and API details: https://docs.saviyntcloud.com/bundle/EIC-Admin-v2021x/page/Content/Chapter20-EIC-Integrations/Saviyn...
 
To answer the initial question - As long as Splunk is able to invoke the Saviynt APIs (with any configuration required in Splunk) it will work. So if you want to disable the default input and pass those inputs through forwarder, you can try and see if that works in Splunk.

Rishi
Saviynt Employee
Saviynt Employee

Hi udiptaroy, please confirm if the above response answer your question. Also let us know if you have any follow up question.

Falcon
Saviynt Employee
Saviynt Employee

@udiptaroy I can help on providing the add-on without the default input. Please note that this is a collaboration request as we enhance our add-on to be compatible with Splunk Cloud.