Workspot Configuration Guide for Splunk

  • Updated on Aug 11, 2024
  • Published on Jul 16, 2024
  • 2 minute(s) read
  • Robert Plamondon

Introduction

You can monitor Workspot Control events via Splunk using the Workspot Splunk App. This provides similar information to that presented on the Workspot Events page.

Splunk support is a standard Workspot feature. 

Installing Splunk

To install a Splunk server on the computer of your choice, follow the instructions at  https://www.splunk.com.

The instructions below assume that you are using Splunk Enterprise, and the screenshots are from the Windows version.

Using the Workspot SIEM API with Splunk

See the Workspot Splunk/SIEM API User Guide.

Downloading the Workspot Splunk App

  • In Workspot Control, go to “Setup > Splunk > Plug-ins” and click the “Download” button to download the Workspot Splunk app (Workspot.spl) to the local system on which you’ve installed Splunk.

Note: This page also contains the three fields you will need to configure Splunk on your local device. It also has a “Reset Security Credentials” button that will invalidate the old Key ID and Secret Key and generate new ones.

Configure Splunk

  • Import Workspot.spl into Splunk,

    • In Splunk, go to “Apps > Upload app > Install App from File.”

    • Browse to your Downloads directory and select workspot.spl

    • Hit “Upload” to import the Workspot Splunk App into Splunk.

  • Uploading Workspot.spl adds it to the Apps List.

  • Go to “Settings > Data > Data Properties.”

  • Find “Workspot.” it probably isn’t on the first page. Then click “Workspot > +Add New”

  • The “Add Data” form appears. Fill it out as follows:

    • Name: Choose a meaningful name; for example, “Workspot Control.”

    • Endpoint host: This is the “URL” field listed in Control under “Setup > Splunk.”

    • Key ID: This is the “Key ID” field in “Setup > Splunk.”

    • Secret Key: This is the “Secret Key” field in “Setup Splunk.”

    • You can leave the other fields at their defaults.

    • Click “Next>”

  • Splunk is now configured to receive date from Workspot Control.

Testing

Once configured, data will begin transferring to your local Splunk installation.

  • Go to the Splunk homepage and click “Search Your Data.”

  • On the Search page, type “logged in” to see the last few Control login records.

Data Format Summary

Data is transferred from Workspot Control to Splunk in JSON format. The fields used in individual entries can be seen from within Splunk. For example, from the “Extract Fields” page using by setting “Source Type” to “Uncategorized > Workspot.”

This will give actual examples of Control’s actual messages.

The basic format for an event record is:

{
      “eventType” : “Admin” | “User” | “Desktop”,
      “eventName” : event_name,
      “Severity” : “Info” | “Error”,
      “dateTime” : date_time,
      “username” : readablefirstlastname,
      “email” : uniqueemailid,
      “description” : description,
      “location” : location,
      “Event specific Field1” : Value1,
      “Event specific Field2” : Value2,
      . . .
},

Here is an example of a Client record: