Requirements
Software, network, and API key requirements for the Whisper Splunk add-on.
Requirements Documentation
Software requirements
Splunk platform
| Component | Minimum version | Recommended |
|---|---|---|
| Splunk Enterprise | 10.2.0 | Latest 10.x |
| Splunk Cloud | Victoria Experience | Victoria Experience |
| Splunk Enterprise Security | 7.0 (optional) | Latest |
Python
The add-on requires Python 3.13, which Splunk Enterprise 10.2 and Splunk Cloud Platform 10.2 ship as an opt-in interpreter. Every extension point (commands.conf, inputs.conf, restmap.conf, alert_actions.conf, app.conf) declares python.required = 3.13, so Splunk selects the 3.13 interpreter automatically.
Network requirements
Outbound connectivity
The add-on requires HTTPS (port 443) access to the Whisper Security API:
| Endpoint | Protocol | Port | Purpose |
|---|---|---|---|
graph.whisper.security | HTTPS | 443 | Knowledge Graph API |
Proxy support: If your Splunk server does not have direct internet access, configure an HTTP/HTTPS/SOCKS5 proxy in Configuration > Settings > Proxy URL.
Firewall rules
Allow outbound HTTPS (TCP 443) from:
- Search heads -- for search commands (
whisperlookup,whisperquery,whisperschema) - Search heads -- for modular inputs (baseline, threat intel, watchlist)
No inbound connectivity is required. The add-on does not open any listening ports.
Index prerequisite
The add-on writes events to a Splunk index named whisper. You must create this index before enabling the modular inputs. The TA does not ship an indexes.conf because Splunk Cloud Victoria Experience prohibits app-shipped index definitions.
| Deployment | Index creation method |
|---|---|
| Splunk Cloud Victoria | ACS API or Splunk Cloud Console (admin role required) |
| Splunk Cloud Classic | Splunk Web -> Settings -> Indexes (admin role required) |
| Splunk Enterprise | Splunk Web, CLI (splunk add index whisper), or cluster master indexes.conf |
See Installation -> Create the whisper index for step-by-step instructions for each deployment type.
API key requirements
For per-plan API capability and quotas, see the pricing page.
Get a free API key at console.whisper.security.
Start without a key: You can install and test the add-on without an API key using the Anonymous plan. The
whisperlookupandwhisperquerycommands work with Anonymous access, but some macros (whisper_cname_chain,whisper_spf_chain) require higher plan tiers due to traversal depth requirements.
Splunk Cloud requirements
The add-on passes Splunk AppInspect with zero failures for both precert and cloud tag sets. Cloud-specific requirements that are already met:
- All credentials stored via
storage/passwords(encrypted) - No hardcoded file paths (uses
$SPLUNK_HOMEenvironment variable) - No prohibited
.conffiles (outputs.conf,authentication.conf, etc.) - No reserved port usage
- No shebang lines in Python files
- No
exec(),eval(), or shell execution - Uses
sc_adminrole (notadmin) for Cloud compatibility - SSL/TLS verification enabled on all network calls
Next steps
- Installation -- Install the add-on
- Configuration -- Set up your API key and connection settings