Configuration
Set up your API key, connection settings, proxy, logging, and health check.
Configuration Documentation
All settings are managed through the Splunk Web UI via the UCC Framework.
Diagram
Get an API key
- Go to console.whisper.security and create a free account
- Once logged in, generate an API key from the console dashboard
- Copy the key -- you will use it in the next step
Account setup
- In Splunk Web, navigate to Apps > Whisper Security TA > Configuration > Account
- Click Add to create a new account
- Enter an account name (e.g.,
production), the API base URL, and your API key - Click Save -- the API key is stored encrypted via Splunk
storage/passwords
Account fields
| Field | Required | Default | Description |
|---|---|---|---|
| Account Name | Yes | -- | Unique identifier for this account |
| Base URL | Yes | https://graph.whisper.security | Whisper API base URL |
| API Key | Yes | -- | Whisper API Key |
Connection settings
Navigate to Configuration > Settings to configure connection parameters:
| Field | Default | Range | Description |
|---|---|---|---|
| Request Timeout (seconds) | 120 | 5-300 | HTTP request timeout for API calls |
| Proxy URL | -- | -- | Optional HTTP/HTTPS/SOCKS5 proxy URL |
Proxy configuration
If your Splunk server does not have direct internet access, configure a proxy:
| Proxy type | URL format | Example |
|---|---|---|
| HTTP proxy | http://host:port | http://proxy.internal:8080 |
| HTTPS proxy | https://host:port | https://proxy.internal:8443 |
| SOCKS5 proxy | socks5://host:port | socks5://proxy.internal:1080 |
| Authenticated proxy | http://user:pass@host:port | http://admin:secret@proxy.internal:8080 |
Proxy authentication: If your proxy requires authentication, include the credentials in the URL. The proxy URL is stored in Splunk's configuration system (not
storage/passwords), so use a service account with minimal privileges.
SSL/TLS
All API communication with graph.whisper.security uses HTTPS with a valid certificate. SSL certificate verification is always enabled and is not configurable.
Logging
The add-on writes logs to $SPLUNK_HOME/var/log/splunk/. Logs are automatically indexed into the _internal index.
Log locations
All components log to a single shared log file:
| Component | Log file | Search |
|---|---|---|
| All (commands, inputs, REST handlers) | ta_whisper_graph.log | index=_internal source=*ta_whisper_graph.log |
Log levels
Log verbosity is controlled by Splunk's standard logging configuration. To increase the log level for debugging:
- Navigate to Settings > Server Settings > Server Logging
- Search for
whisper - Set the desired log level (DEBUG, INFO, WARNING, ERROR)
Debug logging: Enable DEBUG logging temporarily to diagnose API connectivity or enrichment issues. Remember to set it back to INFO when done -- DEBUG logging generates significant volume.
Searching logs
index=_internal source=*ta_whisper_graph.log
| table _time log_level _raw
| sort -_time
Verify it works
After setting up your account, check that the connection works:
| whisperquery query="RETURN 1 AS test LIMIT 1"
If you get a result back, you are connected.
Try an enrichment:
| makeresults | eval dest_host="example.com"
| whisperlookup field=dest_host type=domain
| table dest_host whisper_ip whisper_asn whisper_asn_name
Next steps
- Search Commands -- Full command reference
- Enrichment -- Enrichment pipeline details
- Macros -- Pre-built investigation macros
- ES Integration -- Threat intel and correlation searches
- Use Cases -- Security workflow examples