Collects OneTrust Privacy Cloud Requests (DSAR) JSON data. This Splunk TA houses a modular input or a script that utilizes OneTrust API for "Get All Requests" under the OneTrust Privacy Cloud - Privacy Rights Automation.
Install the latest version from Splunkbase or download the app's full directory in the src
folder in this repository: TA-onetrust_privacy_cloud
. Once the app is installed in your Splunk Enterprise environment, restart the Splunk daemon. Confirm the installation by checking the availability of the modular input, e.g.:
SplunkWeb GUI > Settings > Data Inputs > OneTrust Privacy Cloud
To configure a collection, you will need two things:
- The domain of the environment, i.e.
hostname
e.g.https://trial.onetrust.com
- The OAuth2 Bearer Token
- As user with admin role, login on to your Splunk Environment
- Navigate to Settings > Data Inputs > OneTrust Privacy Cloud
- Click
New
- You should be able to see the form for
OneTrust Privacy Cloud Token Credentials
- Give your input a unique name under the
name
textbox (must not contain spaces) - Enter the domain of the environment or the hostname. Start with
https
and end with.com
. Do not end with a forward slash/
. E.g.:https://trial.onetrust.com
- Enter your OAuth2 Bearer Token under the
API Token
textbox - Enter the date from when you wanted to start collecting. It is important to follow the format
yyyymmdd
- Give your input a unique name under the
- Click
More settings
- Under
Interval
enter a valid Cron schedule or interval in seconds- It is suggested to use interval in seconds and the value of a minimum of 3600 (collect every 60 minutes)
- Leave
Set sourcetype
asAutomatic
- Enter your preferred host under the
Host
textbox- We recommend that you enter here the same value as the one you use
hostname
- We recommend that you enter here the same value as the one you use
- Set your index under the
index
dropdown* menu - Finally, enable your input as it is disabled by default
*If you're configuring this on a Splunk Heavy Forwarder that is not aware of the list of indexes available in your Indexer Cluster (e.g.: SplunkCloud), just select default
for Step 9. Once done, directly modify the inputs.conf
using your favorite text editor. Under the stanza [onetrust_privacy_cloud://<name you gave>]
, look for index = default
and then replace the value to your chosen index.
Check for internal logs by running the SPL below:
index=_internal source=*splunkd.log "onetrust_privacy_cloud.py"
| transaction thread_id source maxspan=<the value you enter for Step 6> startswith="New scheduled exec process" endswith="Streaming OneTrust Privacy Cloud has been successful"