App Events to Splunk
Data collected around App Events can be streamed from Airkit to the Splunk HTTP Event Connector (or HEC), allowing you to investigate the data in external analytics platforms.
Enterprise Feature
This feature requires an ENTERPRISE license. If you would like to enable this feature for your Airkit Organization, please contact your Airkit representative or contact [email protected].
Streaming App Events to Splunk
Here, we through how to set up a JSON Splunk HEC to collect and organize data on how users interact with your Airkit apps.
Prerequisites
- Splunk Cloud Platform or Splunk Enterprise
- A configured HTTP Event Collector with an accessible token and a publicly accessible endpoint.
Airkit only supports HTTPS transport against Splunk HEC endpoints that use a TLS certificate that is validated against a public Certificate Authority. Airkit does not support sending reporting events encrypted using a self-signed certificate or validated against a private Certificate Authority.
Configure the HEC in Airkit
The Airkit Splunk HEC integration will send JSON-formatted Event data to an active Splunk HEC endpoint. Airkit will send events to the /services/collector/event
endpoint. It will also send any configured Event metadata. The token and channel identifier are sent as HTTP headers.
First, save the Token Value from Splunkβs Data Input > HTTP Event Collector menu:
To set up the Splunk HEC in Airkit, go to the Airkit Console and visit Settings > Logs and App Notifiers. Click on the Create button next to Splunk App Event Logs:
Fill out the following fields:
- Name - the name of the Airkit-specific Splunk HEC
- Host - the host name of the Splunk HEC
- Port - the port of the Splunk HEC
- Token - the token of the Splunk HEC
- Source - the source value to assign to the Event data. This will define the metadata property
source
. - Source Type - the source type to assign to the Event data. This will define the metadata property
sourceType
. If the receiving Splunk HEC Data Input defines the source type, this value should be left empty. - Index - the name of the index by which the Event data is to be indexed. This will define the metadata property
index
. - Event Host - the host value to assign to the Event data. This will define the metadata property
host
. - Channel Identifier - the channel identifier sent within the Event. This will sent within the HTTP header
X-Spunk-Request-Channel
. - Event Fields - a JSON object that contains a flat list of explicit custom fields to be defined at index time. This will be sent the metadata property
fields
.
Note that the values given for these fields should match how the HEC is configured within Splunk:
Once the you have defined your Splunk App Event Log, click the Save button on the bottom left. The HEC is now configured. Every few minutes, Airkit will send relevant Events from all of the Organization's applications to the services/collector/event
endpoint.
Event Data Schema
The Splunk export sends Session Events to Splunk as a JSON payload. The following is an example structure of a JSON event Airkit might send:
{
"index": "summary",
"sourcetype": "my_sample_data",
"source": "my_app",
"event": {
"organizationId": "692f9bbd-105f-494d-86e3-62e7fe53cf31",
"eventTime": "2022-03-04T16:44:25.322451Z",
"eventId": "1Oih0noL7hD1AmU4gQ4Iw82j9fsJ",
"appId": "0bd7f6f2-8b6b-43fc-84d2-186cb04406e8",
"branchId": "2327dbd4-4272-4131-a010-03f72a989ff9",
"savepointRevision": 3,
"sessionId": "8439f7b1-d48c-4d66-8d4f-07bf7f059dba",
"deployId": "c6abd7f1-8256-466d-9561-ada68bb7f58a",
"type": "click",
"details": {
"actorName": "Actor",
"deployUserId": "1533e663-6753-46b7-b050-79c614888bf6",
"actorIdentityId": "cfef4563-c529-44ee-9851-fe6adecaaba2"
},
"metrics": [
{
"source": "DEFAULT",
"id": "8a638998-3d43-4cb2-a141-d2feb7132fc1",
"event": "/element/event2/button/on-click.json",
"type": "COUNT",
"value": 1
}
],
"activityId": "e78cf88a-b730-43bc-b2c3-6a9eaa46ca7b",
"actorId": "d3725a33-09f9-4755-9cf1-55d64099da56",
"activityGroupId": "44effb0d-2ded-417d-8bba-6c7f2ea75205",
"client": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.109 Safari/537.36",
"userAgent": {
"OperatingSystemNameVersion": "Mac OS X ??",
"OperatingSystemName": "Mac OS X",
"AgentNameVersionMajor": "Chrome 98",
"AgentVersion": "98.0.4758.109",
"DeviceClass": "Desktop",
"DeviceBrand": "Apple",
"LayoutEngineVersion": "98.0",
"LayoutEngineNameVersionMajor": "Blink 98",
"AgentNameVersion": "Chrome 98.0.4758.109",
"AgentVersionMajor": "98",
"OperatingSystemClass": "Desktop",
"AgentClass": "Browser",
"LayoutEngineVersionMajor": "98",
"OperatingSystemNameVersionMajor": "Mac OS X ??",
"LayoutEngineClass": "Browser",
"LayoutEngineNameVersion": "Blink 98.0",
"AgentName": "Chrome",
"LayoutEngineName": "Blink",
"DeviceName": "Apple Macintosh"
},
"isDebug": false,
"isFrozen": false,
"isProductionDeploy": false,
"sourceRuntime": "MANAGER",
"sourceDetail": "INIT",
"appEventSchema": "/element/event2/button/on-click.json",
"appEventId": "8a638998-3d43-4cb2-a141-d2feb7132fc1",
"controlId": "8afd8569-9126-431e-bccf-9d25f5f6a924",
"controlSchema": "/element/control/button.json",
"callStack": [
{
"$schema": "/element/control/button.json",
"id": "8afd8569-9126-431e-bccf-9d25f5f6a924"
},
{
"$schema": "/element/event2/button/on-click.json",
"id": "8a638998-3d43-4cb2-a141-d2feb7132fc1"
}
],
"ipAddresses": [],
"kind": "Session"
}
}
The event
field may contain the properties of a Session Event:
ORGANIZATION_ID | VARCHAR |
---|---|
EVENT_YEAR | NUMBER |
EVENT_MONTH | DATE |
EVENT_DATE | DATE |
EVENT_TIME | TIMESTAMPNTZ |
EVENT_ID | VARCHAR |
APP_ID | VARCHAR |
BRANCH_ID | VARCHAR |
SESSION_ID | VARCHAR |
DEPLOY_ID | VARCHAR |
EVENT_TYPE | VARCHAR |
CUSTOM_METRICS | OBJECT |
DEFAULT_METRICS | OBJECT |
SAVEPOINT_REVISION | NUMBER |
CHANNEL_ID | VARCHAR |
CHANNEL_KEY | VARCHAR |
FLOW_ID | VARCHAR |
ACTIVITY_ID | VARCHAR |
ACTOR_ID | VARCHAR |
RESOURCE_ID | VARCHAR |
ACTIVITY_GROUP_ID | VARCHAR |
CLIENT | VARCHAR |
USER_AGENT | VARCHAR |
SCREEN_WIDTH | NUMBER |
SCREEN_HEIGHT | NUMBER |
HTTP_SOURCE | VARCHAR |
STATUS | VARCHAR |
CODE | NUMBER |
SERVICE | VARCHAR |
SERVICE_VERSION | VARCHAR |
EXTERNAL_ID | VARCHAR |
DURATION_MILLIS | NUMBER |
CXR_VERSION | VARCHAR |
SOURCE_RUNTIME | VARCHAR |
SOURCE_DETAIL | VARCHAR |
APP_EVENT_PARENT_SCHEMA | VARCHAR |
APP_EVENT_PARENT_ID | VARCHAR |
APP_EVENT_SCHEMA | VARCHAR |
APP_EVENT_ID | VARCHAR |
CONTROL_ID | VARCHAR |
CONTROL_SCHEMA | VARCHAR |
TRIGGER_ID | VARCHAR |
PROFILE_ID | VARCHAR |
EVENT_SOURCE_ID | VARCHAR |
ACTION_PARENT_PATH | VARCHAR |
ACTION_PARENT_SCHEMA | VARCHAR |
ACTION_PATH | VARCHAR |
ACTION_SCHEMA | VARCHAR |
CONNECTION_ID | VARCHAR |
EVENT_SOURCE_NAME | VARCHAR |
EVENT_SOURCE_PARENT_ID | VARCHAR |
EVENT_HANDLER_ID | VARCHAR |
EVENT_HANDLER_SCHEMA | VARCHAR |
EVENT_SOURCE_INPUT | VARCHAR |
Updated over 1 year ago