Zscaler Splunk App - Design and Installation documentation

Zscaler is pleased to release the attached document in conjunction with the latest version of the Zscaler Splunk App. This new versions adds some great new capabilities with Zscaler API’s being used to retrieve Admin Audit Logs (ZIA) and detailed Cloud Sandbox detonation correlation and reporting.

Splunk Design and Install.pdf (3.2 MB)

The Splunk App and Technical Add-On can be downloaded from Splunk Base

Your feedback is always welcome, please feel free to comment here or contact splunk-support@zscaler.com


Can we stream the Logs directly from the Zscaler Cloud to Splunk (on-prem), or we still need a Zscaler_NSS VM to stream it to the Splunk app?
This is a on premises environment.

Yes, NSS is still required.

1 Like

Seems like ‘zscalernss-tunnel’ source type is not defined in the current version of the app. Is there any workaround to this, in order to process tunnel logs in Splunk?

The missing sourcetype has now been added, version 2.0.4 contains the fix.

The Admin Audit Logs works great.

Do we have any documents about QRadar - NSS integration.


We are currently working on a refresh to the DSM and App directly with the IBM team. CC @roguerunner, @rahim888

1 Like