How to install the Netskope Add-on/app for Splunk

These instructions have been updated for Netskope Add-on For Splunk version 4.0.1.

Create a Splunk.com Account (if you don’t have one)

Visit Splunk.com and create your account first. You need Splunk user account to install an add-on.
https://www.splunk.com/page/sign_up

Install the Netskope Add-on For Splunk

1. Log in to your Splunk instance and click + Find More Apps link.
   
2. Type Netskope in the search box and press Enter, and then click Install next to Netskope Add-on For Splunk.
   
3. Enter the username/password you created previously and click Login and Install.
   Note that this is NOT the account when you logged in to the Splunk instance.
   
4. Click Restart Now and wait a couple minutes for the Splunk service to restart (the browser should let you know when it’s complete).

Configure your Netskope Tenant in Splunk 

1. Log in to your Splunk instance again and open the add-on you installed.
2. Click the Apps dropdown and select Netskope Add-on For Splunk.
   
3. In the Account tab, click Add on the far right.
   
4. In the Add Account window, enter your tenant information and click the Add.
   
   
   
   • LATEST version of Netskope Add-on For Splunk (v4.0.1 released 2024-10-24)
   
   
   • Account Name can be any unique name.
   
   
   • Hostname should be like <tenant-name>.goskope.com
   
   
   • Token V1 should be left blank. REST API v1 should not be used and is not recommended as it is being deprecated (it is currently only required for fetching Client events, which will move to REST APIv2 in 2025).
   
   
   • Token V2 should be used. REST API v2 will be supported into the future. Generate a REST API v2 token from Settings > Tools > REST API v2. For required token scopes, review the Supported Tokens and Required Permissions section on Splunkbase: https://splunkbase.splunk.com/app/3808#/details.
   
   
   
   

   

   
   
5. If you are seeing Input Type as an option, you have an outdated version and should upgrade the Netskope Add-on For Splunk before proceeding.
   

Configure Alerts, Events, and Web Transactions (Add Inputs)

Alerts

1. Go to the Inputs tab and click Create New Input in the upper-right, and then select Alerts (Iterator).
   
2. In the Add Alerts(Iterator) window, enter this information:
   • Name can be any unique name, but using <tenant-name>_alerts helps differentiate the input from _events and _webtransactions, which will be created later.
   • Index can be left as default, unless you have custom indexes configured in Splunk.
   • Netskope Account should be the tenant account created previously.
   • Start DateTime and Start EndTime can be left blank.
   • Alert Types can be left as All or individual alert types can be selected by clicking into the field.
   • Refine Data can only be configured if a single alert type is selected. An Alerts (Iterator) input would need to be created for each alert type that needs fields filtered.
3. Click Add and wait for the window to close. If there are any missing API token permissions, you will see an error with additional details, and the input will not be added. Fix the API token permissions, return to this page, and click Add again.

Events

1. Go to the Inputs tab, click Create New Input in the upper-right, and then select Events (Iterator).
   
2. In the Add Events(Iterator) window, enter this information:
   • Name can be any unique name, but using <tenant-name>_events helps differentiate the input from _alerts and _webtransactions.
   • Index can be left as default, unless you have custom indexes configured in Splunk.
   • Netskope Account should be the tenant account created previously.
   • Start DateTime and Start EndTime can be left blank.
   • Event Types can be left with all the event types selected. Click the x next to any event types that should not be fetched.
   • Refine Data can only be configured if a single event type is selected. An Events (Iterator) input would need to be created for each event type that needs fields filtered.
3. Click Add and wait for the window to close. If there are any missing API token permissions, you will see an error with additional details, and the input will not be added. Fix the API token permissions, return to this page, and click Add again.

Web Transactions

You must be licensed for Event Streaming (a.k.a. Web Transactions v2 or WebTx v2) to fetch these logs from the Netskope tenant, and additional API token permissions are required (detailed in the Splunkbase documentation).

1. Go to the Inputs tab, click Create New Input in the upper-right, and then select Web Transactions V2.
   
2. In the Add Web Transactions V2 window, enter this information:
   • Name can be any unique name, but using <tenant-name>_webtransactions helps differentiate the input from _alerts and _events.
   • Index can be left as default, unless you have custom indexes configured in Splunk.
   • Netskope Account should be the tenant account created previously.
   • Idle Connection Timeout can be left at the default 600.
   • Max Webtxn Files can be left at the default 1000.
   • Refine Data can be configured as needed to include or exclude fields.
3. Click Add and wait for the window to close. If there are any missing API token permissions, you will see an error with additional details, and the input will not be added. Fix the API token permissions, return to this page, and click Add again.

Confirm Inputs are Enabled

Review the Inputs table and ensure the status shows as Enabled for newly created inputs.

Confirm Data Ingestion

1. Go to the Search tab, input the following:
   

   index=main source=netskope*

   
   
2. Press Enter, or click the magnifying glass on the far right.
3. Review the results below the search bar, which should contain alerts, events, and or web transactions.
4. On the left side, in the Selected Fields list, click on source to review which types of alerts and events have been ingested.
   

Install the Netskope App For Splunk Dashboard

1. Log in to your Splunk instance and click + Find More Apps link.
   
2. Type Netskope in the search box and press enter, and then click Install next to Netskope App For Splunk.
   
3. Enter the username/password for the Splunk account you created previously, and click Login and Install.
   Note that this is NOT the account when you log in to the Splunk instance.
   
4. Click Open the app to see the dashboard.
   
5. The Dashboard opens.
   
6. Select the add-on/app from the the Apps dropdown.