Censys Search App for Splunk#
The Censys Search App for Splunk enables rapid enrichment of logs with the most up-to-date information on public hosts and certificates.
This guide will help you:
Install the Censys Search App in your Splunk environment
Configure the Censys Search app
Use the Censys Search command to enrich Splunk logs by IP address
Splunkbase: Censys Search App for Splunk
Search App Prerequisites#
Your Censys Search API key and secret.
A Splunk account and installation.
Install the Censys Search App for Splunk#
Install from Splunkbase
From the Splunk main page, click the + Find More Apps button in the sidebar.
Type “Censys” in the search bar.
On the results page, find the “Censys Search for Splunk” app card and click the green Install button.
Enter your Splunkbase credentials and click the Login and Install button.
Configure the Censys Search App#
From the Splunk main page, click the Manage Apps gear in the top left corner of the page.
Find “Censys Search” in the list of installed apps.
Click the Set up button to open the Censys Search app.
Enter your Censys Search API key and secret in the fields provided.
Use the Censys Search command#
censyssearch
#
The censyssearch
command enables the enrichment of events by IP address. This command takes the events from a search as input and adds context to the events by querying the Censys API.
Syntax
censyssearch <ip_address_field> <summary|verbose>
Parameter |
Usage |
---|---|
|
The name of the field containing the IP address to search. |
|
The level of detail to return. Either |
Note
For each enrichment command executed, responses will be cached for previously seen IPs, so the number of API credits consumed will equal the number of unique IPs enriched.
Examples
sourcetype="access_combined" | dedupe clientIP | censyssearch clientIP verbose
sourcetype="censys:asm:logbook" | dedupe ip | censyssearch ip summary
See also
For more information on how Censys collects and models host data, visit our help center.