Splunk extension overview
Splunk is an observability platform that provides search, analysis, and visualization for actionable insights on your data. The Splunk event forwarding extension leverages the Splunk HTTP Event Collector REST API to send events from the Adobe Experience Platform Edge Network to the Splunk HTTP Event Collector.
Splunk uses bearer tokens as the authentication mechanism to communicate with the Splunk Event Collector API.
Use cases use-cases
Marketing teams can use the extension for the following use cases:
Prerequisites prerequisites
You must have a Splunk account to use this extension. You can register for a Splunk account on the Splunk homepage.
You must also have the following technical values to configure the extension:
-
An Event Collector token. Tokens typically are UUIDv4 format like the following:
12345678-1234-1234-1234-1234567890AB. -
The Splunk platform instance address and port for your organization. A platform instance address and port will typically have the following format:
mysplunkserver.example.com:443.note important IMPORTANT Splunk endpoints referenced within event forwarding should only use port 443. Non-standard ports are currently not supported in event forwarding implementations.
Install the Splunk extension install
To install the Splunk Event Collector extension in the UI, navigate to Event Forwarding and select a property to add the extension to, or create a new property instead.
Once you have selected or created the desired property, navigate to Extensions > Catalog. Search for “Splunk”, and then select Install on the Splunk Extension.
Configure the Splunk extension configure_extension
Select Extensions in the left navigation. Under Installed, select Configure on the Splunk extension.
For HTTP Event Collector URL, enter your Splunk platform instance address and port. Under Access Token, enter your Event Collector Token value. When finished, select Save.
Configure an event forwarding rule config_rule
Start creating a new event forwarding rule rule and configure its conditions as desired. When selecting the actions for the rule, select the Splunk extension, then select the Create Event action type. Additional controls appear to further configure the Splunk Event.
The next step is to map the Splunk event properties to data elements that you have previously created. The supported optional mappings based on the input event data that can be set up are given below. Refer to the Splunk documentation for further details.
(REQUIRED)
event key within the JSON object in the HTTP request, or it can be raw text. The event key is at the same level within the JSON event packet as the metadata keys. Within the event key-value curly brackets, the data can be in any form you require (such as a string, a number, another JSON object, and so on).<sec>.<ms>) and depends on your local timezone. For example, 1433188255.500 indicates 1433188255 seconds and 500 milliseconds after epoch, or Monday, June 1, 2015, at 7:50:55 PM GMT.fields key isn’t applicable to raw data.Requests containing the
fields property must be sent to the /collector/event endpoint, or else they will not be indexed. For more information, see the Splunk documentation on indexed field extractions.Validate data within Splunk validate
After creating and executing the event forwarding rule, validate whether the event sent to the Splunk API is displayed as expected in the Splunk UI. If the event collection and Experience Platform integration were successful, you will see events within the Splunk console like so:
Next steps
This document covered how to install and configure the Splunk event forwarding extension in the UI. For more information on collecting event data in Splunk, refer to the official documentation: