App Events to Splunk
Last updated
Last updated
Data collected around App Events can be streamed from Airkit to the Splunk HTTP Event Connector (or HEC), allowing you to investigate the data in external analytics platforms.
📘 Enterprise Feature This feature requires an ENTERPRISE license. If you would like to enable this feature for your Airkit Organization, please contact your Airkit representative or contact support@airkit.com.
Here, we through how to set up a JSON Splunk HEC to collect and organize data on how users interact with your Airkit apps.
Splunk Cloud Platform or Splunk Enterprise
A configured HTTP Event Collector with an accessible token and a publicly accessible endpoint.
📘 Airkit only supports HTTPS transport against Splunk HEC endpoints that use a TLS certificate that is validated against a public Certificate Authority. Airkit does not support sending reporting events encrypted using a self-signed certificate or validated against a private Certificate Authority.
The Airkit Splunk HEC integration will send JSON-formatted Event data to an active Splunk HEC endpoint. Airkit will send events to the /services/collector/event
endpoint. It will also send any configured Event metadata. The token and channel identifier are sent as HTTP headers.
First, save the Token Value from Splunk’s Data Input > HTTP Event Collector menu:
To set up the Splunk HEC in Airkit, go to the Airkit Console and visit Settings > Logs and App Notifiers. Click on the Create button next to Splunk App Event Logs:
Fill out the following fields:
Name - the name of the Airkit-specific Splunk HEC
Host - the host name of the Splunk HEC
Port - the port of the Splunk HEC
Token - the token of the Splunk HEC
Source - the source value to assign to the Event data. This will define the metadata property source
.
Source Type - the source type to assign to the Event data. This will define the metadata property sourceType
. If the receiving Splunk HEC Data Input defines the source type, this value should be left empty.
Index - the name of the index by which the Event data is to be indexed. This will define the metadata property index
.
Event Host - the host value to assign to the Event data. This will define the metadata property host
.
Channel Identifier - the channel identifier sent within the Event. This will sent within the HTTP header X-Spunk-Request-Channel
.
Event Fields - a JSON object that contains a flat list of explicit custom fields to be defined at index time. This will be sent the metadata property fields
.
Note that the values given for these fields should match how the HEC is configured within Splunk:
Once the you have defined your Splunk App Event Log, click the Save button on the bottom left. The HEC is now configured. Every few minutes, Airkit will send relevant Events from all of the Organization's applications to the services/collector/event
endpoint.
The Splunk export sends Session Events to Splunk as a JSON payload. The following is an example structure of a JSON event Airkit might send:
The event
field may contain the properties of a Session Event:
ORGANIZATION_ID | VARCHAR |
EVENT_YEAR | NUMBER |
EVENT_MONTH | DATE |
EVENT_DATE | DATE |
EVENT_TIME | TIMESTAMPNTZ |
EVENT_ID | VARCHAR |
APP_ID | VARCHAR |
BRANCH_ID | VARCHAR |
SESSION_ID | VARCHAR |
DEPLOY_ID | VARCHAR |
EVENT_TYPE | VARCHAR |
CUSTOM_METRICS | OBJECT |
DEFAULT_METRICS | OBJECT |
SAVEPOINT_REVISION | NUMBER |
CHANNEL_ID | VARCHAR |
CHANNEL_KEY | VARCHAR |
FLOW_ID | VARCHAR |
ACTIVITY_ID | VARCHAR |
ACTOR_ID | VARCHAR |
RESOURCE_ID | VARCHAR |
ACTIVITY_GROUP_ID | VARCHAR |
CLIENT | VARCHAR |
USER_AGENT | VARCHAR |
SCREEN_WIDTH | NUMBER |
SCREEN_HEIGHT | NUMBER |
HTTP_SOURCE | VARCHAR |
STATUS | VARCHAR |
CODE | NUMBER |
SERVICE | VARCHAR |
SERVICE_VERSION | VARCHAR |
EXTERNAL_ID | VARCHAR |
DURATION_MILLIS | NUMBER |
CXR_VERSION | VARCHAR |
SOURCE_RUNTIME | VARCHAR |
SOURCE_DETAIL | VARCHAR |
APP_EVENT_PARENT_SCHEMA | VARCHAR |
APP_EVENT_PARENT_ID | VARCHAR |
APP_EVENT_SCHEMA | VARCHAR |
APP_EVENT_ID | VARCHAR |
CONTROL_ID | VARCHAR |
CONTROL_SCHEMA | VARCHAR |
TRIGGER_ID | VARCHAR |
PROFILE_ID | VARCHAR |
EVENT_SOURCE_ID | VARCHAR |
ACTION_PARENT_PATH | VARCHAR |
ACTION_PARENT_SCHEMA | VARCHAR |
ACTION_PATH | VARCHAR |
ACTION_SCHEMA | VARCHAR |
CONNECTION_ID | VARCHAR |
EVENT_SOURCE_NAME | VARCHAR |
EVENT_SOURCE_PARENT_ID | VARCHAR |
EVENT_HANDLER_ID | VARCHAR |
EVENT_HANDLER_SCHEMA | VARCHAR |
EVENT_SOURCE_INPUT | VARCHAR |