# Create Input

(optional) Create a new index

If you do not wish to create a new index, skip to Create Account.

Splunk stores data in indexes. This add-on may be configured to send to a custom event index instead of the default index, main. For more information and steps to create a new index, see Splunk Docs: Create events indexes .

Purpose for Creating a new index

The out of the box Splunk configuration stores all data in the default index, main. It is encouraged to create a new index to ensure optimal performance, for setting retention policies, and for providing stricter access controls. For more information about how Splunk indexes work with add-ons, see Splunk Docs: Add-ons and indexes .

# Create Account

From Splunk Web, navigate to this app (CrowdStrike Falcon Identity Protection).
Click the "Configuration" tab and then click "Add."
Provide a unique name (no spaces) and the API Credentials.
(optional) Configure proxy.

# Create Input

On the "Inputs" tab click "Create New Input."
Provide a unique name (no spaces).
Enter a time interval in seconds or a valid cron schedule.
Note

Data collection may take a few hours. It is recommended to set an interval to run once per day.

i.e.
3 3 * * * *
The above will run once per day at 3:03 am.
Select the index, Cloud Environment, and the Account that was just set up.

# Create Input

(optional) Create a new index

# Create Account

# Create Input

Note