App Events to Splunk

Data collected around App Events can be streamed from Airkit to the Splunk HTTP Event Connector (or HEC), allowing you to investigate the data in external analytics platforms.

📘

Business and Enterprise Feature

This feature requires either an ENTERPRISE or BUSINESS license. If you would like to enable either feature for your Airkit Organization, please contact your Airkit representative or contact [email protected].

Streaming App Events to Splunk

Here, we through how to set up a JSON Splunk HEC to collect and organize data on how users interact with your Airkit apps.

Prerequisites

📘

Airkit only supports HTTPS transport against Splunk HEC endpoints that use a TLS certificate that is validated against a public Certificate Authority. Airkit does not support sending reporting events encrypted using a self-signed certificate or validated against a private Certificate Authority.

Configure the HEC in Airkit

The Airkit Splunk HEC integration will send JSON-formatted Event data to an active Splunk HEC endpoint. Airkit will send events to the /services/collector/event endpoint. It will also send any configured Event metadata. The token and channel identifier are sent as HTTP headers.

First, save the Token Value from Splunk’s Data Input > HTTP Event Collector menu:

To set up the Splunk HEC in Airkit, go to the Airkit Console and visit Settings > Logs and App Notifiers. Click on the Create button next to Splunk App Event Logs:

Fill out the following fields:

  • Name - the name of the Airkit-specific Splunk HEC
  • Host - the host name of the Splunk HEC
  • Port - the port of the Splunk HEC
  • Token - the token of the Splunk HEC
  • Source - the source value to assign to the Event data. This will define the metadata property source.
  • Source Type - the source type to assign to the Event data. This will define the metadata property sourceType. If the receiving Splunk HEC Data Input defines the source type, this value should be left empty.
  • Index - the name of the index by which the Event data is to be indexed. This will define the metadata property index.
  • Event Host - the host value to assign to the Event data. This will define the metadata property host.
  • Channel Identifier - the channel identifier sent within the Event. This will sent within the HTTP header X-Spunk-Request-Channel.
  • Event Fields - a JSON object that contains a flat list of explicit custom fields to be defined at index time. This will be sent the metadata property fields.

Note that the values given for these fields should match how the HEC is configured within Splunk:

Once the you have defined your Splunk App Event Log, click the Save button on the bottom left. The HEC is now configured. Every few minutes, Airkit will send relevant Events from all of the Organization's applications to the services/collector/event endpoint.

Event Data Schema

The Splunk export sends Session Events to Splunk as a JSON payload. The following is an example structure of a JSON event Airkit might send:

{
    "index": "summary",
    "sourcetype": "my_sample_data",
    "source": "my_app",
    "event": {
        "organizationId": "692f9bbd-105f-494d-86e3-62e7fe53cf31",
        "eventTime": "2022-03-04T16:44:25.322451Z",
        "eventId": "1Oih0noL7hD1AmU4gQ4Iw82j9fsJ",
        "appId": "0bd7f6f2-8b6b-43fc-84d2-186cb04406e8",
        "branchId": "2327dbd4-4272-4131-a010-03f72a989ff9",
        "savepointRevision": 3,
        "sessionId": "8439f7b1-d48c-4d66-8d4f-07bf7f059dba",
        "deployId": "c6abd7f1-8256-466d-9561-ada68bb7f58a",
        "type": "click",
        "details": {
            "actorName": "Actor",
            "deployUserId": "1533e663-6753-46b7-b050-79c614888bf6",
            "actorIdentityId": "cfef4563-c529-44ee-9851-fe6adecaaba2"
        },
        "metrics": [
            {
                "source": "DEFAULT",
                "id": "8a638998-3d43-4cb2-a141-d2feb7132fc1",
                "event": "/element/event2/button/on-click.json",
                "type": "COUNT",
                "value": 1
            }
        ],
        "activityId": "e78cf88a-b730-43bc-b2c3-6a9eaa46ca7b",
        "actorId": "d3725a33-09f9-4755-9cf1-55d64099da56",
        "activityGroupId": "44effb0d-2ded-417d-8bba-6c7f2ea75205",
        "client": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.109 Safari/537.36",
        "userAgent": {
            "OperatingSystemNameVersion": "Mac OS X ??",
            "OperatingSystemName": "Mac OS X",
            "AgentNameVersionMajor": "Chrome 98",
            "AgentVersion": "98.0.4758.109",
            "DeviceClass": "Desktop",
            "DeviceBrand": "Apple",
            "LayoutEngineVersion": "98.0",
            "LayoutEngineNameVersionMajor": "Blink 98",
            "AgentNameVersion": "Chrome 98.0.4758.109",
            "AgentVersionMajor": "98",
            "OperatingSystemClass": "Desktop",
            "AgentClass": "Browser",
            "LayoutEngineVersionMajor": "98",
            "OperatingSystemNameVersionMajor": "Mac OS X ??",
            "LayoutEngineClass": "Browser",
            "LayoutEngineNameVersion": "Blink 98.0",
            "AgentName": "Chrome",
            "LayoutEngineName": "Blink",
            "DeviceName": "Apple Macintosh"
        },
        "isDebug": false,
        "isFrozen": false,
        "isProductionDeploy": false,
        "sourceRuntime": "MANAGER",
        "sourceDetail": "INIT",
        "appEventSchema": "/element/event2/button/on-click.json",
        "appEventId": "8a638998-3d43-4cb2-a141-d2feb7132fc1",
        "controlId": "8afd8569-9126-431e-bccf-9d25f5f6a924",
        "controlSchema": "/element/control/button.json",
        "callStack": [
            {
                "$schema": "/element/control/button.json",
                "id": "8afd8569-9126-431e-bccf-9d25f5f6a924"
            },
            {
                "$schema": "/element/event2/button/on-click.json",
                "id": "8a638998-3d43-4cb2-a141-d2feb7132fc1"
            }
        ],
        "ipAddresses": [],
        "kind": "Session"
    }
}

The event field may contain the properties of a Session Event:

ORGANIZATION_IDVARCHAR
EVENT_YEARNUMBER
EVENT_MONTHDATE
EVENT_DATEDATE
EVENT_TIMETIMESTAMPNTZ
EVENT_IDVARCHAR
APP_IDVARCHAR
BRANCH_IDVARCHAR
SESSION_IDVARCHAR
DEPLOY_IDVARCHAR
EVENT_TYPEVARCHAR
CUSTOM_METRICSOBJECT
DEFAULT_METRICSOBJECT
SAVEPOINT_REVISIONNUMBER
CHANNEL_IDVARCHAR
CHANNEL_KEYVARCHAR
FLOW_IDVARCHAR
ACTIVITY_IDVARCHAR
ACTOR_IDVARCHAR
RESOURCE_IDVARCHAR
ACTIVITY_GROUP_IDVARCHAR
CLIENTVARCHAR
USER_AGENTVARCHAR
SCREEN_WIDTHNUMBER
SCREEN_HEIGHTNUMBER
HTTP_SOURCEVARCHAR
STATUSVARCHAR
CODENUMBER
SERVICEVARCHAR
SERVICE_VERSIONVARCHAR
EXTERNAL_IDVARCHAR
DURATION_MILLISNUMBER
CXR_VERSIONVARCHAR
SOURCE_RUNTIMEVARCHAR
SOURCE_DETAILVARCHAR
APP_EVENT_PARENT_SCHEMAVARCHAR
APP_EVENT_PARENT_IDVARCHAR
APP_EVENT_SCHEMAVARCHAR
APP_EVENT_IDVARCHAR
CONTROL_IDVARCHAR
CONTROL_SCHEMAVARCHAR
TRIGGER_IDVARCHAR
PROFILE_IDVARCHAR
EVENT_SOURCE_IDVARCHAR
ACTION_PARENT_PATHVARCHAR
ACTION_PARENT_SCHEMAVARCHAR
ACTION_PATHVARCHAR
ACTION_SCHEMAVARCHAR
CONNECTION_IDVARCHAR
EVENT_SOURCE_NAMEVARCHAR
EVENT_SOURCE_PARENT_IDVARCHAR
EVENT_HANDLER_IDVARCHAR
EVENT_HANDLER_SCHEMAVARCHAR
EVENT_SOURCE_INPUTVARCHAR