Splunk Notables & Alerts
  • 13 Mar 2025
  • 4 Minutes to read
  • Dark
    Light

Splunk Notables & Alerts

  • Dark
    Light

Article summary

Overview

The Splunk Notables and Alerts integration with DataBee enables security teams to forward notable events and alerts from Splunk to DataBee. This connection leverages Splunk’s event detection capabilities and DataBee’s centralized data lake to provide advanced correlation, entity resolution, and improved threat detection for enhanced security monitoring and response.

  • Splunk: A platform for searching, monitoring, and analyzing machine-generated data, capable of identifying critical security events through its Notable Events Framework and Alert Actions.

  • DataBee: A security fabric platform that ingests and analyzes data from multiple sources, addressing fragmented security landscapes and supporting organizations with multiple Security Information Management (SIEM) systems and other tools.

This integration allows seamless transmission of Splunk events into DataBee for deeper analysis and actionable insights.

Architecture

The integration follows a straightforward data flow connecting Splunk and DataBee:

  1. Splunk Enterprise identifies noteworthy security events using saved searches.

  2. Events are processed by the Notable Events Framework or Alert Actions.

  3. The DataBee app for Splunk forwards these notables or alerts to DataBee via the HTTP Collector.

  4. Data is ingested, processed, and stored in DataBee’s detection finding tables.

  5. Security teams can analyze and respond to these findings within DataBee’s Security Fabric platform.

Configuration

Prerequisites

  • A working Splunk instance (Splunk Enterprise or Splunk Cloud).

  • Access to the DataBee console with appropriate permissions.

  • Internet connectivity for HTTP Collector communication.

DataBee Setup

Follow these steps to configure DataBee to receive Splunk notables and alerts:

  1. Access the DataBee Console: Log in and navigate to Data > Data Feeds.

  2. Create a New Data Feed:

    1. Click + Add new Data Feed.

    2. Select Splunk Alerts (or Notables if using Splunk Enterprise Security).

      A screenshot of a computer

Description automatically generated

  3. Choose Ingestion Method: Select HTTP Collector for near real-time data collection.

    A screenshot of a computer

Description automatically generated

  4. Provide Feed Details:

    1. Enter a name for the data source (e.g., "Splunk Alerts Feed").

    2. Enter an owner’s email address.

      A screenshot of a web page

Description automatically generated

  5. Retain Defaults: Keep the default settings for data format and tags.

    A screenshot of a computer

Description automatically generated


  6. Generate API Key:

    1. Click Generate New API Key and save it securely for use in Splunk.

      A screenshot of a computer

Description automatically generated

    2. Click Submit to create the feed.

  7. Copy Datasource ID:

    1. Go to You Current Data Feeds, locate the Splunk Alerts feed card, and copy the datasource_ID.

  8. Obtain Tenant ID: Navigate to your Profile in DataBee and copy the tenant ID.

    A screenshot of a computer

Description automatically generated

  9. Copy Endpoint URL: Go to the HTTP Collector tab within System Settings and copy the endpoint URL.

    A screenshot of a computer

Description automatically generated

    A screenshot of a computer

Description automatically generated

Splunk Setup

Follow these steps to configure Splunk to send notables and alerts to DataBee:

  1. Install the DataBee App:

    1. Download the DataBee app for Splunk from Splunkbase.

    2. Install it in your Splunk instance using the standard app installation process (compatible with Splunk Enterprise and Splunk Cloud).

  2. Configure the App:

    1. Open the DataBee app and go to the Configuration tab.

    2. Click Add and enter the following:

      1. API Key: From DataBee setup step 6.

      2. Datasource_ID: From DataBee setup step 7.

      3. Tenant ID: From DataBee setup step 8.

      4. Endpoint URL: From DataBee setup step 9.

  3. Select Alerts: Use the multi-select dropdown to choose the alerts or notables to send to DataBee.

  4. Save Configuration: Click Update to apply the settings.

How It Works

  • When a notable event or alert action is triggered in Splunk (based on the selected alert actions), the DataBee app sends the event data to DataBee via the HTTP Collector.

  • The data is transmitted in JSON format, including fields such as event ID, search name, and other metadata.

  • In DataBee, the data is stored in the detection finding table, where it can be queried, visualized, and correlated with other security data for deeper insights and response actions.

Verification

To ensure the integration is working correctly:

  1. Trigger a Test Event in Splunk:

    1. Run a test search in Splunk that generates a notable event or alert (e.g., a saved search with an alert action).

  2. Check DataBee:

    1. In the DataBee console, navigate to the detection finding table.

    2. Verify that the event data appears with fields like event ID, search name, and other metadata.

  3. Review the DataBee Splunk App Logs for any errors.  Search “index=*_internal* sourcetype=ta_databee_log

Benefits

  • Centralized Data Lake: Consolidates security events for advanced correlation and entity resolution across multiple sources.

  • Improved Threat Detection: Enhances visibility and analysis of threats with DataBee’s powerful analytics.

  • Seamless Event Transmission: Automatically forwards Splunk notables and alerts to DataBee for streamlined security monitoring and response.


Was this article helpful?

What's Next
Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.
ESC

Eddy AI, facilitating knowledge discovery through conversational intelligence