Configure the Illumio App for Splunk
Use the procedures in the following topics to configure the Illumio App for Splunk.
Create an Index for Illumio Events
Note
This is an optional step, but it is recommended. If you already created one or more indexes when you configured the Illumio Technology Add-On for Splunk, skip this step.
Navigate to Settings > Indexes.
Click New Index in the top-right corner.
Enter an index name and select Illumio App for Splunk from the App drop-down menu.
Set the other index parameters based on your expected event volume and retention policy.
Click Save.
Note
Make sure to configure the index based on your organization's compliance requirements and data retention policies. See Managing Indexers and Clusters of Indexers.
Update the illumio_get_index Macro
Navigate to Settings > Advanced Search > Search Macros.
Select Illumio App for Splunk from the App drop-down menu.
Click the illumio_get_index macro name to open the edit form.
Update the definition to reference one or more indexes, such as
(index="illumio_pce1" OR index="illumio_pce2").Click Save.
Accelerate the Illumio Data Model
This step is optional, but it is recommended. See Data Model Acceleration.
Install the Sankey Diagram App
The Traffic Explorer dashboard renders traffic flows using the Sankey diagram custom visualization app. The app is required for displaying the panel but it is not required.