Indexing Splunk with Voracity The external unstructured data preparation and PII data masking for Splunk generated interest in these capabilities, IRI wanted to develop a direct integration from the Splunk user interface (UI). This article covers a new IRI Voracity add-on for Splunk that indexes data from different Voracity workflows. It also works for constituent CoSort SortCL job script executions, such as IRI NextForm for providing replicated data, or IRI RowGen for providing test data, directly in Splunk. Recall that Splunk Security is a great indexing and visualization platform, but it lacks the power to process many forms of data or to de-identify it with certain methods important to CISOs. By embedding the power of Voracity into Splunk’s intuitive UI, you can directly inject data into Splunk that’s been pre-processed and protected in IRI job scripts or workflows. Installing the IRI Voracity Add-on for Splunk Download this archive, which contains python scripts, Splunk files, and sample IRI job scripts. Copy the iri_cosort folder from the extracted archived into your splunk etc/apps/ folder.
To verify the installation of the add-on in Splunk, click Settings > Data Inputs. Browse to IRI and see that parameter entry screen. That’s it. Your IRI data input module is now ready for use, and you can start indexing data prepared in IRI Voracity (CoSort SortCL job) scripts directly into Splunk. Working Example You can use any IRI job script with your new Splunk Input Module, but for this example, we want to demonstrate how easy it is to encrypt a set of data and then index it into Splunk.