Splunk Cloud/Enterprise app 2.0.0.0 - 2.2.0.0 for Ivanti Neurons for MDM User Guide

Installing and Configuring for Splunk Cloud

To install and configure the Ivanti Neurons for MDM Splunk app for Splunk Cloud:

Download mobileiron_cloud_for_splunk_cloud-2.2.0-bundle.tar.gz from https://support.mobileiron.com/support/CDL.html
You will need your company's download/documentation credentials.
Log into Splunk Cloud in your web browser. Splunk sends the Splunk Cloud URL in an email.
Navigate to Settings > Indexes.
Check for the micloudaudittrails and miclouddevices indexes in the list.
If the indexes are not present, then click New Index, create the indexes as shown in the screenshots below, and then click Save.

micloudaudittrails

miclouddevices
Navigate to Apps > Manage Apps.
Select Manage Apps.
Select Upload App, providing Splunk Cloud credentials, accepting the Terms & Conditions check box, and logging in if prompted.
Follow the prompts on the page to upload the file mobileiron_cloud_for_splunk_cloud-2.2.0-bundle.tar.gz that you downloaded at the start of this process.
Wait until the Status column of the Uploaded apps page reflects Approved for the app that you just uploaded.
Click Installand then follow the prompts on the page to complete the installation.
Navigate to Settings > Data Inputs > Ivanti Neurons for MDM> Ivanti (under column Ivanti Neurons for MDM Splunk app Config).
Enable Fetch Data from Ivanti Neurons for MDM.
Configure the associated fields:
- Ivanti Neurons for MDM admin URL Enter the URL to the target Ivanti Neurons for MDM instance. Ensure that you specify the entire URL with “https” included, for example, https://na2.mobileiron.com
- Ivanti Neurons for MDM Read-only admin username: Enter the username of the Ivanti Neurons for MDM user with the Device Management and System Read Only roles that you created as part of the prerequisites.
- Ivanti Neurons for MDM Read-only admin password: Enter the password of the Ivanti Neurons for MDM user with the Device Management and System Read Only roles that you created as part of the prerequisites.
- Confirm password: Confirm the password.
- Polling Interval: Select the amount of minutes to wait between fetching data.

Click Save.
Navigate to Settings > Server Controls > Trigger Rolling Restart.

It is mandatory to trigger a rolling restart on saving or updating Data Input details.

Server restart may require several minutes. Please do not upload the app or save data input again after triggering a rolling restart until the "Server is ready to execute triggered request, happy Splunking" appears in a search as described below in Checking server readiness.
Stark Splunking! Follow the instructions in Using the Ivanti Neurons for MDM App for Splunk Cloud/Enterprise.

Checking server readiness

Restart requires about eight minutes to reflect consistent data in the Splunk user interface. Do not upload the app or save data input again during this interval.

To check server readiness:

Wait eight to ten minutes after triggering the rolling restart, and then select Apps > Manage Apps > Ivanti Neurons for MDM >Search from the Splunk Cloud portal.
Enter the following search query:

index="_internal" sourcetype=splunkd source="*splunkd.log"

| transaction host startswith="*rolling restart* finished*" endswith="*happy Splunking*"

| highlight "Server is ready to execute triggered request, happy Splunking*"

Splunk Cloud may display the error, "Server Error" while the Server is restarting. If so, reload the page and retry.
Select Last 15 minutes, and then click the search icon.
Search for "happy Splunking" in the results.

Installing and Configuring for Splunk Cloud

Checking server readiness

More useful searches

Search for logs

Search for device index data

Search for audit trail index data