Events to Splunk

This Support Application feature enables sending event data directly from the device to Splunk.

Overview

Support Application collects and sends information to the BlueFletch Portal to help organizations leverage mobile business intelligence for informed, data-driven decision-making. However, some organizations may have specific data collection and management requirements, such as GDPR compliance for EU customers. In such cases, organizations may choose to use third-party tools like Splunk for data collection and management, which can be more scalable and offer additional features.

To facilitate integration with Splunk, the Events to Splunk feature provides a method of sending events directly from the device to the desired Splunk instance via the HTTP Event Collection endpoint. This allows organizations to analyze device data using their preferred tools and services while maintaining compliance with GDPR regulations.

User Guide

  1. To enable the Events to Splunk feature, you need to configure the following basic values:

  • ignoreSSLCerts: Set to True to bypass SSL Cert issues with Splunk

  • splunkUrl: The Splunk Host / Port to send event data

  • splunkAuthToken - HEC authorization token

  • splunkApiPath - collector path, typically services/collector/raw

  1. Once the feature is enabled, the Support Application will start sending event data to Splunk. The event data will be stored in Splunk in a format that can be easily analyzed.

Feature Configuration

To set up Events to Splunk for a particular device profile or device group, please follow the steps below:

Bypassing SSL Certificate Issues

To enable the Events to Splunk feature, add a ignoreSSLCerts configuration section in the Support Application JSON file. Setting the value to true will bypass any SSL Certificate issues when sending events to Splunk:

{
      ...
    "emsSupportTool" : {
        ...
        "ignoreSSLCerts": true
    }
     ...
}

Setting Up the Event Data Location

To configure the exact location Splunk instances should be sent, specify the host and port as shown below:

{
      ...
    "emsSupportTool" : {
        ...
        "splunkUrl": "https://input-prd-p-xq37wf7l8c7l.cloud.splunk.com:8088"
    }
     ...
}

Setting Up the HEC Authorization Token

To enable sending event data to Splunk, define the authorization token to enable sending event data to Splunk using the HEC endpoint. Use the example configuration below as a guide:

{
      ...
    "emsSupportTool" : {
        ...
        "splunkAuthToken": "adkkdkd-043c-4936-8f1b-1askldsakl"
    }
     ...
}

Configuring the API Path

To send Splunk instances to the defined HEC endpoint, enter the API path that Support Application has to use:

{
      ...
    "emsSupportTool" : {
        ...
        "splunkApiPath" : "services/collector/raw"
    }
     ...
}

Putting It All Together

For the example described above, the full configuration for Events to Splunk is as follows:

{
      ...
    "emsSupportTool" : {
        ...
        "ignoreSSLCerts": true,
        "splunkUrl": "https://input-prd-p-xq37wf7l8c7l.cloud.splunk.com:8088",
        "splunkAuthToken": "adkkdkd-043c-4936-8f1b-1askldsakl",
        "splunkApiPath" : "services/collector/raw",
    }
     ...
}

Events to Splunk was introduced in Support Application 5.4.4.

PreviousFeaturesNextLogs to Azure

Last updated