# Splunk - Vectra Detect Integration Steps (QUX) ## Introduction This article is meant to be used in conjunction with the [Splunk Integration Guide for Vectra AI](/configuration/response/siem/splunk-siem-vectra-integration-guide-start-here-for-qux.md). It provides the following: * An overview of Vectra's data sources that can feed Splunk. * A listing of Vectra's Splunk Add-ons and Apps. * Links are provided to the Add-ons and Apps in Splunkbase. * An installation matrix showing what needs to be installed where in your Splunk environment. * Common prerequisites for any Vectra / Splunk integration ## Steps 1. Read the [Splunk Integration Guide for Vectra AI](/configuration/response/siem/splunk-siem-vectra-integration-guide-start-here-for-qux.md) and keep it handy for links to Splunk Apps and guidance to go along with this article. * Be sure to have created the required dedicated index for the Detect Add-on to use. * Please note that if you will be ingesting data from Vectra SaaS and a Brain based installation of the Vectra platform, both Add-ons will use the same index. Only create one index for both Add-ons. 2. Install the Add-on(s) * As per the [Splunk Integration Guide for Vectra AI](/configuration/response/siem/splunk-siem-vectra-integration-guide-start-here-for-qux.md), the Vectra platform is available to deploy via Vectra SaaS or Brain based deployments. * If using Vectra SaaS: * [Install the Vectra SaaS Add-on for Splunk following these instructions.](/configuration/response/siem/splunk-vectra-saas-add-on-configuration-qux.md) * If using the Vectra platform in a Brain based deployment (running in a supported IaaS cloud, virtual appliance, or physical appliance): * [Install the Technology Add-On for Vectra Detect (JSON) and configure you Brain to send Syslog data to Splunk following these instructions](/configuration/response/siem/splunk-vectra-detect-add-on-and-syslog-configuration-qux.md). 3. Install the App using the instructions below. ### ## Detect App Installation The App must be installed on Search Heads: * On the main Splunk dashboard, click the **"+ Find More Apps"** sign to open the app browser (or **Manage > Find more Apps**). * Search the app store for "**Vectra Cognito Detect"**. * Click Install. * Return to the main dashboard. Once the installation is completed, the macro's configuration needs to be updated: * Navigate to **\*Settings > Advanced search**.\* * Click on **\*Search macros**.\* * In the App dropdown list, select "**Vectra Cognito"**. * A macro named: ***vectra\_cognito\_index*** must be listed. * Click on the name to edit it. * Update the definition to match the name of the index where Vectra Detect events are located. * Save. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.vectra.ai/configuration/response/siem/splunk-vectra-detect-integration-steps-qux.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.