Splunk

ABOUT

Splunk is a powerful tool for searching and exploring data. It can help predict, identify, and solve problems related to business, information technology (IT), DevOps, and security in real time.

Features include:

Indexing source data from websites, applications, servers, databases, operating systems and more
Obtaining data feeds via both push and pull methods
Searching data to create reports and powerful dashboard panels
Configuring alerts to notify when searches meet configured conditions
Creating dashboards to visualize results from completed searches and data from real‑time background searches
Generating reports from saved searches or adding reports to dashboards. Reports can be run on an ad hoc basis or scheduled to run on regular intervals. Scheduled reports can also generate alerts.

Prerequisites

All users requesting Splunk access must first have access to Zscaler. For instructions on the process, refer to the Zscaler

Requesting a Splunk User Role (Obtaining a User Role)

The following steps provide instructions for requesting a Splunk user role:

Step 1: If you do not yet have a HARP account or an EIDM or EUA account, click here to sign up for a HARP account.

Step 2: Once your HARP account has been created, log in to HARP and request a QualityNet Splunk entitlement via a HARP User Role.

Select Request a Role in HARP from the HARP homepage.

On the Select a Program page, select QualityNet-Splunk
On the Select an Organization page, select your Contract name (for contractors) or CMS Federal Employee (for CMS Federal employees)

Don't see your organization listed?

On the Select Roles page, select a QualityNet Splunk user role (choose one)
- Splunk_SO
- Splunk_User
Click the Submit button
Enter your reason for requesting the selected role in the Request Reason text field.
Click the Submit button

Step 3: The organization's Security Official reviews and approves/denies the user role request. You will be notified via email that your request has been submitted, and again when your role has been approved or denied.

Step 4: Connect to the QualityNet network via Zscaler using your HARP Credentials. To obtain information on accessing Zscaler, please follow this link Zscaler Access, and click on the Get Started Tab to view the steps for requesting Zscaler.

Step 5: Log into Splunk https://inf-219c4c7d8.hcqis.org:8000/ using your HARP credentials.

Requesting Application Log Ingestion or Splunk App Request

The following steps provide instructions for requesting application logs be ingested into a Splunk index to search and analyze data as well as create alerts, reports, and dashboards:

Step 1: Login to ServiceNow at https://cmsqualitysupport.servicenowservices.com/ using your HARP credentials.

Step 2: Locate Cloud request:

Type “catalog” in the Filter Navigator
Select IT Services Catalog
Select Cloud
Select Other Cloud Services
Select Other Cloud Services Request
Select Contract Name, Priority, and Need by date
For Service Request Details, provide information including the following:

Hostnames, Hostname match, or IP range for inputs to be deployed
Application log directories to be ingested (Splunk user on hosts must have read access to directories/logs)
Index name to be used or created for ingestion
Users or group required access to index
If requesting a new Splunk add-on or application, please specify the name
Upon completion of the request, please verify data is being ingested and accessible

SPLUNK DASHBOARDS

The Splunk App for AWS offers a variety of dashboards to that provide insight into your AWS data by providing an overview of your AWS Environment including configuration changes, usage, and security.

Splunk dashboards can be configured by the HIDS DevOps team for your application. Please use one of the following methods to request a Splunk dashboard:

Email: ServiceCenterSOS@cms.hhs.gov
Phone: 866-288-8914
Message the DevOps Slack channel: #help-devsecops
Open a Miscellaneous ServiceNow Request in the self-service portal: https://cmsqualitysupport.servicenowservices.com/sp_ess

ADDITIONAL RESOURCES

Additional information can be found at https://splunkbase.splunk.com/

Splunk - Removing Data (tutorialspoint.com )

FAQs

General

What is Splunk?

Splunk is the data collection backbone for security operations to create a unified, interoperable security operations capability across all data centers.

Access

What are the requirements for requesting access?

User(s) must have valid qualnet AD accounts. Splunk is not currently integrated with HARP or any other SSO provider.

How do I log into Splunk?

Log into Splunk at https://splunkaws.hcqis.org:8000/ using your HARP credentials

You must be connected to Zscaler before logging into Splunk

Need Help ?

Please contact one of the following:

CCSQ Support Central: Provides you with multi-program support to submit a new ticket, and track the status of an existing case, incident, or request. No login required. https://cmsqualitysupport.servicenowservices.com/ccsq_support_central

Find us on Slack #help-devsecops. Slack is monitored Monday through Friday, 8:00am - 6:00pm.
For assistance with HARP, please contact the CCSQ Service Center at:
- Phone: (866) 288-8914 (TRS:711)
- Slack: #help-service-center-sos
- Email: ServiceCenterSOS@cms.hhs.gov
- Hours of Operation: 24/7