App Events to Splunk

Data collected around App Events can be streamed from Airkit to the Splunk HTTP Event Connector (or HEC), allowing you to investigate the data in external analytics platforms.

📘 Enterprise Feature This feature requires an ENTERPRISE license. If you would like to enable this feature for your Airkit Organization, please contact your Airkit representative or contact support@airkit.com.

Streaming App Events to Splunk

Here, we through how to set up a JSON Splunk HEC to collect and organize data on how users interact with your Airkit apps.

Prerequisites

Splunk Cloud Platform or Splunk Enterprise
A configured HTTP Event Collector with an accessible token and a publicly accessible endpoint.

📘 Airkit only supports HTTPS transport against Splunk HEC endpoints that use a TLS certificate that is validated against a public Certificate Authority. Airkit does not support sending reporting events encrypted using a self-signed certificate or validated against a private Certificate Authority.

Configure the HEC in Airkit

The Airkit Splunk HEC integration will send JSON-formatted Event data to an active Splunk HEC endpoint. Airkit will send events to the /services/collector/event endpoint. It will also send any configured Event metadata. The token and channel identifier are sent as HTTP headers.

First, save the Token Value from Splunk’s Data Input > HTTP Event Collector menu:

To set up the Splunk HEC in Airkit, go to the Airkit Console and visit Settings > Logs and App Notifiers. Click on the Create button next to Splunk App Event Logs:

Fill out the following fields:

Name - the name of the Airkit-specific Splunk HEC
Host - the host name of the Splunk HEC
Port - the port of the Splunk HEC
Token - the token of the Splunk HEC
Source - the source value to assign to the Event data. This will define the metadata property source.
Source Type - the source type to assign to the Event data. This will define the metadata property sourceType. If the receiving Splunk HEC Data Input defines the source type, this value should be left empty.
Index - the name of the index by which the Event data is to be indexed. This will define the metadata property index.
Event Host - the host value to assign to the Event data. This will define the metadata property host.
Channel Identifier - the channel identifier sent within the Event. This will sent within the HTTP header X-Spunk-Request-Channel.
Event Fields - a JSON object that contains a flat list of explicit custom fields to be defined at index time. This will be sent the metadata property fields.

Note that the values given for these fields should match how the HEC is configured within Splunk:

Once the you have defined your Splunk App Event Log, click the Save button on the bottom left. The HEC is now configured. Every few minutes, Airkit will send relevant Events from all of the Organization's applications to the services/collector/event endpoint.

Event Data Schema

The Splunk export sends Session Events to Splunk as a JSON payload. The following is an example structure of a JSON event Airkit might send:

{
    "index": "summary",
    "sourcetype": "my_sample_data",
    "source": "my_app",
    "event": {
        "organizationId": "692f9bbd-105f-494d-86e3-62e7fe53cf31",
        "eventTime": "2022-03-04T16:44:25.322451Z",
        "eventId": "1Oih0noL7hD1AmU4gQ4Iw82j9fsJ",
        "appId": "0bd7f6f2-8b6b-43fc-84d2-186cb04406e8",
        "branchId": "2327dbd4-4272-4131-a010-03f72a989ff9",
        "savepointRevision": 3,
        "sessionId": "8439f7b1-d48c-4d66-8d4f-07bf7f059dba",
        "deployId": "c6abd7f1-8256-466d-9561-ada68bb7f58a",
        "type": "click",
        "details": {
            "actorName": "Actor",
            "deployUserId": "1533e663-6753-46b7-b050-79c614888bf6",
            "actorIdentityId": "cfef4563-c529-44ee-9851-fe6adecaaba2"
        },
        "metrics": [
            {
                "source": "DEFAULT",
                "id": "8a638998-3d43-4cb2-a141-d2feb7132fc1",
                "event": "/element/event2/button/on-click.json",
                "type": "COUNT",
                "value": 1
            }
        ],
        "activityId": "e78cf88a-b730-43bc-b2c3-6a9eaa46ca7b",
        "actorId": "d3725a33-09f9-4755-9cf1-55d64099da56",
        "activityGroupId": "44effb0d-2ded-417d-8bba-6c7f2ea75205",
        "client": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.109 Safari/537.36",
        "userAgent": {
            "OperatingSystemNameVersion": "Mac OS X ??",
            "OperatingSystemName": "Mac OS X",
            "AgentNameVersionMajor": "Chrome 98",
            "AgentVersion": "98.0.4758.109",
            "DeviceClass": "Desktop",
            "DeviceBrand": "Apple",
            "LayoutEngineVersion": "98.0",
            "LayoutEngineNameVersionMajor": "Blink 98",
            "AgentNameVersion": "Chrome 98.0.4758.109",
            "AgentVersionMajor": "98",
            "OperatingSystemClass": "Desktop",
            "AgentClass": "Browser",
            "LayoutEngineVersionMajor": "98",
            "OperatingSystemNameVersionMajor": "Mac OS X ??",
            "LayoutEngineClass": "Browser",
            "LayoutEngineNameVersion": "Blink 98.0",
            "AgentName": "Chrome",
            "LayoutEngineName": "Blink",
            "DeviceName": "Apple Macintosh"
        },
        "isDebug": false,
        "isFrozen": false,
        "isProductionDeploy": false,
        "sourceRuntime": "MANAGER",
        "sourceDetail": "INIT",
        "appEventSchema": "/element/event2/button/on-click.json",
        "appEventId": "8a638998-3d43-4cb2-a141-d2feb7132fc1",
        "controlId": "8afd8569-9126-431e-bccf-9d25f5f6a924",
        "controlSchema": "/element/control/button.json",
        "callStack": [
            {
                "$schema": "/element/control/button.json",
                "id": "8afd8569-9126-431e-bccf-9d25f5f6a924"
            },
            {
                "$schema": "/element/event2/button/on-click.json",
                "id": "8a638998-3d43-4cb2-a141-d2feb7132fc1"
            }
        ],
        "ipAddresses": [],
        "kind": "Session"
    }
}

The event field may contain the properties of a Session Event:

ORGANIZATION_ID

VARCHAR

EVENT_YEAR

NUMBER

EVENT_MONTH

DATE

EVENT_DATE

DATE

EVENT_TIME

TIMESTAMPNTZ

EVENT_ID

VARCHAR

APP_ID

VARCHAR

BRANCH_ID

VARCHAR

SESSION_ID

VARCHAR

DEPLOY_ID

VARCHAR

EVENT_TYPE

VARCHAR

CUSTOM_METRICS

OBJECT

DEFAULT_METRICS

OBJECT

SAVEPOINT_REVISION

NUMBER

CHANNEL_ID

VARCHAR

CHANNEL_KEY

VARCHAR

FLOW_ID

VARCHAR

ACTIVITY_ID

VARCHAR

ACTOR_ID

VARCHAR

RESOURCE_ID

VARCHAR

ACTIVITY_GROUP_ID

VARCHAR

CLIENT

VARCHAR

USER_AGENT

VARCHAR

SCREEN_WIDTH

NUMBER

SCREEN_HEIGHT

NUMBER

HTTP_SOURCE

VARCHAR

STATUS

VARCHAR

CODE

NUMBER

SERVICE

VARCHAR

SERVICE_VERSION

VARCHAR

EXTERNAL_ID

VARCHAR

DURATION_MILLIS

NUMBER

CXR_VERSION

VARCHAR

SOURCE_RUNTIME

VARCHAR

SOURCE_DETAIL

VARCHAR

APP_EVENT_PARENT_SCHEMA

VARCHAR

APP_EVENT_PARENT_ID

VARCHAR

APP_EVENT_SCHEMA

VARCHAR

APP_EVENT_ID

VARCHAR

CONTROL_ID

VARCHAR

CONTROL_SCHEMA

VARCHAR

TRIGGER_ID

VARCHAR

PROFILE_ID

VARCHAR

EVENT_SOURCE_ID

VARCHAR

ACTION_PARENT_PATH

VARCHAR

ACTION_PARENT_SCHEMA

VARCHAR

ACTION_PATH

VARCHAR

ACTION_SCHEMA

VARCHAR

CONNECTION_ID

VARCHAR

EVENT_SOURCE_NAME

VARCHAR

EVENT_SOURCE_PARENT_ID

VARCHAR

EVENT_HANDLER_ID

VARCHAR

EVENT_HANDLER_SCHEMA

VARCHAR

EVENT_SOURCE_INPUT

VARCHAR

PreviousAnalytics Overview NextApp Events to AWS S3 Buckets

Last updated 1 year ago

Was this helpful?