App Events to Splunk
Last updated
Was this helpful?
Last updated
Was this helpful?
Data collected around App Events can be streamed from Airkit to the Splunk HTTP Event Connector (or HEC), allowing you to investigate the data in external analytics platforms.
📘 Enterprise Feature This feature requires an ENTERPRISE license. If you would like to enable this feature for your Airkit Organization, please contact your Airkit representative or contact support@airkit.com.
Here, we through how to set up a JSON Splunk HEC to collect and organize data on how users interact with your Airkit apps.
Splunk Cloud Platform or Splunk Enterprise
A configured HTTP Event Collector with an accessible token and a publicly accessible endpoint.
📘 Airkit only supports HTTPS transport against Splunk HEC endpoints that use a TLS certificate that is validated against a public Certificate Authority. Airkit does not support sending reporting events encrypted using a self-signed certificate or validated against a private Certificate Authority.
The Airkit Splunk HEC integration will send JSON-formatted Event data to an active Splunk HEC endpoint. Airkit will send events to the /services/collector/event
endpoint. It will also send any configured Event metadata. The token and channel identifier are sent as HTTP headers.
First, save the Token Value from Splunk’s Data Input > HTTP Event Collector menu:
To set up the Splunk HEC in Airkit, go to the Airkit Console and visit Settings > Logs and App Notifiers. Click on the Create button next to Splunk App Event Logs:
Fill out the following fields:
Name - the name of the Airkit-specific Splunk HEC
Host - the host name of the Splunk HEC
Port - the port of the Splunk HEC
Token - the token of the Splunk HEC
Source - the source value to assign to the Event data. This will define the metadata property source
.
Source Type - the source type to assign to the Event data. This will define the metadata property sourceType
. If the receiving Splunk HEC Data Input defines the source type, this value should be left empty.
Index - the name of the index by which the Event data is to be indexed. This will define the metadata property index
.
Event Host - the host value to assign to the Event data. This will define the metadata property host
.
Channel Identifier - the channel identifier sent within the Event. This will sent within the HTTP header X-Spunk-Request-Channel
.
Event Fields - a JSON object that contains a flat list of explicit custom fields to be defined at index time. This will be sent the metadata property fields
.
Note that the values given for these fields should match how the HEC is configured within Splunk:
Once the you have defined your Splunk App Event Log, click the Save button on the bottom left. The HEC is now configured. Every few minutes, Airkit will send relevant Events from all of the Organization's applications to the services/collector/event
endpoint.
The Splunk export sends Session Events to Splunk as a JSON payload. The following is an example structure of a JSON event Airkit might send:
The event
field may contain the properties of a Session Event:
ORGANIZATION_ID
VARCHAR
EVENT_YEAR
NUMBER
EVENT_MONTH
DATE
EVENT_DATE
DATE
EVENT_TIME
TIMESTAMPNTZ
EVENT_ID
VARCHAR
APP_ID
VARCHAR
BRANCH_ID
VARCHAR
SESSION_ID
VARCHAR
DEPLOY_ID
VARCHAR
EVENT_TYPE
VARCHAR
CUSTOM_METRICS
OBJECT
DEFAULT_METRICS
OBJECT
SAVEPOINT_REVISION
NUMBER
CHANNEL_ID
VARCHAR
CHANNEL_KEY
VARCHAR
FLOW_ID
VARCHAR
ACTIVITY_ID
VARCHAR
ACTOR_ID
VARCHAR
RESOURCE_ID
VARCHAR
ACTIVITY_GROUP_ID
VARCHAR
CLIENT
VARCHAR
USER_AGENT
VARCHAR
SCREEN_WIDTH
NUMBER
SCREEN_HEIGHT
NUMBER
HTTP_SOURCE
VARCHAR
STATUS
VARCHAR
CODE
NUMBER
SERVICE
VARCHAR
SERVICE_VERSION
VARCHAR
EXTERNAL_ID
VARCHAR
DURATION_MILLIS
NUMBER
CXR_VERSION
VARCHAR
SOURCE_RUNTIME
VARCHAR
SOURCE_DETAIL
VARCHAR
APP_EVENT_PARENT_SCHEMA
VARCHAR
APP_EVENT_PARENT_ID
VARCHAR
APP_EVENT_SCHEMA
VARCHAR
APP_EVENT_ID
VARCHAR
CONTROL_ID
VARCHAR
CONTROL_SCHEMA
VARCHAR
TRIGGER_ID
VARCHAR
PROFILE_ID
VARCHAR
EVENT_SOURCE_ID
VARCHAR
ACTION_PARENT_PATH
VARCHAR
ACTION_PARENT_SCHEMA
VARCHAR
ACTION_PATH
VARCHAR
ACTION_SCHEMA
VARCHAR
CONNECTION_ID
VARCHAR
EVENT_SOURCE_NAME
VARCHAR
EVENT_SOURCE_PARENT_ID
VARCHAR
EVENT_HANDLER_ID
VARCHAR
EVENT_HANDLER_SCHEMA
VARCHAR
EVENT_SOURCE_INPUT
VARCHAR