Configuration

All settings are managed through the Splunk Web UI via the UCC Framework.

Diagram

Get an API key (optional)

An API key unlocks higher query depth limits and more generous rate limits. Without an API key, you can still use the add-on with the Anonymous plan (2-hop depth limit).

1. Go to console.whisper.security and create a free account
2. Once logged in, generate an API key from the console dashboard
3. Copy the key -- you will use it in the next step

Account setup

1. In Splunk Web, navigate to Apps > Whisper Security TA > Configuration > Account
2. Click Add to create a new account
3. Enter an account name (e.g., production), the API base URL, and optionally your API key
4. Click Test Connectivity to verify the connection -- the button shows your plan tier (e.g., "Connected -- Plan: Professional (140ms)")
5. Click Save -- the API key is stored encrypted via Splunk storage/passwords

Account fields

Connection settings

Navigate to Configuration > Settings to configure connection parameters:

Proxy configuration

If your Splunk server does not have direct internet access, configure a proxy:

Warning: If your proxy requires authentication, include the credentials in the URL. The proxy URL is stored in Splunk's configuration system (not storage/passwords), so use a service account with minimal privileges.

SSL/TLS configuration

SSL certificate verification is enabled by default and should remain enabled in production.

When to disable SSL verification:

• Testing with a proxy that performs TLS inspection (MITM proxy)
• Development environments with self-signed certificates

Danger: Never disable SSL verification in production. All API communication with graph.whisper.security uses HTTPS with a valid certificate.

Logging

The add-on writes logs to $SPLUNK_HOME/var/log/splunk/. Logs are automatically indexed into the _internal index.

Log locations

All components log to a single shared log file:

Log levels

Log verbosity is controlled by Splunk's standard logging configuration. To increase the log level for debugging:

1. Navigate to Settings > Server Settings > Server Logging
2. Search for whisper
3. Set the desired log level (DEBUG, INFO, WARNING, ERROR)

Tip: Enable DEBUG logging temporarily to diagnose API connectivity or enrichment issues. Remember to set it back to INFO when done -- DEBUG logging generates significant volume.

Searching logs

index=_internal source=*ta_whisper_security.log
| table _time log_level _raw
| sort -_time

Health check input

Navigate to Inputs to configure the API health check:

1. Click Create New Input > Whisper API Health Check
2. Configure the check interval (default: 300 seconds / 5 minutes)
3. Select the account to use for health checks
4. Choose the index for health events (default: whisper)

Health events are written with sourcetype=whisper:health and include:

• status -- API health status (UP, ERROR)
• node_count -- Number of nodes in the Knowledge Graph
• edge_count -- Number of edges in the Knowledge Graph
• threat_intel_loaded -- Whether threat intelligence data is available
• feed_source_count -- Number of active threat intel feed sources
• response_time_ms -- API response time in milliseconds

Verify it works

After setting up your account, check that the connection works:

| whisperquery query="RETURN 1 AS test LIMIT 1"

If you get a result back, you are connected.

Try an enrichment:

| makeresults | eval dest_host="example.com"
| whisperlookup field=dest_host type=domain
| table dest_host whisper_ip whisper_asn whisper_asn_name

Check health monitoring events:

index=whisper sourcetype=whisper:health | head 10

Next steps

• Search Commands -- Full command reference
• Enrichment -- Enrichment pipeline details
• Macros -- Pre-built investigation macros
• ES Integration -- Threat intel and correlation searches
• Use Cases -- Security workflow examples