SplunkCloud Configuration

If you can add an Azure Sentinel Data Connector and Workbook in the future, that would be great. In the meantime, I'm trying to set up 1PW Events Reporting for SplunkCloud and am stuck. These instructions are not working for me. https://support.1password.com/events-reporting-splunk/#configure-the-scripted-input

Specifically at this step, Click Settings in the Splunk bar and choose “Data inputs”, then select Scripts from the list.

There is nothing called "Scripts" on the "Data inputs" page. What do I need to do to finish the configuration?

Thanks


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided

Comments

  • Hi @kurtd,

    Our Integrations team will be happy to assist with this. Please send an email to support@1password.com using the email address associated with your 1Password account. After you send the email, feel free to post the ticket number you receive so we can locate your message and connect it with this Community discussion.

  • kurtd
    kurtd
    Community Member
    edited September 2021

    I would rather have an answer on here but I can try to open a support ticket. At this point, I'm thinking it has something to do with using Slunk Cloud instead of Splunk Enterprise.

  • @kurtd,

    I think you may be correct that setup with Splunk Cloud versus Splunk Enterprise may be a major factor in those instructions not lining up- apologies for missing that initially. As our 1Password Events Reporting experts work through email, I do recommend using our contact form to reach out, so they can lend a hand here: https://support.1password.com/contact/

  • Christian_XYZR
    Christian_XYZR
    Community Member

    @kurtd what would you try to read out in splint there? (Event?) or is this mainly for storage reasons?

  • aarmas
    aarmas
    Community Member

    Hello - were you able to find a solution to this? Were running into the same issue

  • ag_max
    edited January 2022

    Hi @aarmas,

    You can find both of our support articles for configuring 1Password Events Reporting with Splunk below (one of them brand new). Please give the one that corresponds with your setup a try:

    Get started with 1Password Events Reporting and Splunk Enterprise or Splunk Cloud Victoria Experience

    Get started with 1Password Events Reporting and Splunk Cloud Classic Experience

  • Kishorekumar
    Kishorekumar
    Community Member

    Hi, Is there an Azure Sentinel Data Connector available to stream the event logs in to Sentinel for 1Password. If no, then what is the alternate ways available?

  • Hi @Kishorekumar. While there isn't currently a specific integration for Azure Sentinel, you can use our Events Reporting API to build your own client and run and pull data into your SIEM. More on that here.

  • aarmas
    aarmas
    Community Member

    Hello again - Im curios if anyone has been able to successfully set this add-on up with Splunk Cloud Victoria (no on prem instance)

    We are still not able to ingest data into splunk. Ive tried starting back form scratch - uninstalling both the splunk app in 1password as well as uninstalling the Events and reporting app in splunk.

    Indexing on main, or any custom index is not successful. Ive also noticed that in the custom dashboards, it is including a sourcetype, but when i look into the available source types in our splunk settings "1password:insights:item_usages" or "1password:insights:signin_attempts" Are these supposed to be created automatically?

    There was also no mention of a data input in the configuration steps. Am i missing this step?

  • Hi @aarmas,

    Sorry about the continued trouble - let's get you in contact with our integrations team via email. Be sure to send an email to support@1password.com using the email address associated with your 1Password account. After you do that, please feel free to post the ticket number you receive so we can locate your message and connect it with this Community discussion.

  • aarmas
    aarmas
    Community Member

    Thanks for the reply @ag_max.

    I actually have a (very stale) request for this issue with 1password support. Ive sent 4 replies since dec 16th and unfortunately have not received any response since then.

  • Hi @aarmas,

    When you emailed us in December, you would have a received a unique Support ID, which looks like: [#ABC-11222-555].

    Can you take a look at your emails and reply to this thread with the Support ID you find? I'll then work to get you in contact with our team after that. :+1:

  • aarmas
    aarmas
    Community Member

    Great thanks for the quick reply @ag_max the request ID is [#YXT-68762-765]

  • Perfect, thanks for sharing that ID, @aarmas. I've notified our Integrations team internally, and they'll respond to you via email as soon as they're available. Thanks for your patience.

This discussion has been closed.