Control Panel > Intergrations > Splunk

Splunk Enterprise is the leading platform for real-time operational intelligence. It's the easy, fast and secure way to search, analyze and visualize the massive streams of machine data generated by your IT systems and technology infrastructure—physical, virtual and in the cloud.

  • The Evident.io Splunk Application can be downloaded here.
  • Splunk documentation may be found here.

To setup your Splunk Integration:

  1. Install and configure the Splunk App for Evident.io from Splunkbase:
    1. Log into Splunk Web and navigate to Apps > Manage Apps.
    2. Click “Install App from File.”
    3. “Choose file” downloaded and then click Upload.
    4. Restart your Splunk Web, (Settings > Server Controls > Restart Splunk.)
    5. A new Evident.io application will be listed in the Splunk Console.
    6. Add a Field Alias (Settings -> Fields -> Field Aliases) with the following parameters:
      1. Destination app = splunk_app_evidentio
      2. Apply to, sourcetype = aws-evidentio
      3. Field alias, "Records{}.Sns.Message" to "Message"
    7. Update Splunk Evident.io App
      1. Go to Splunk Evident.io App
      2. Click Edit.
      3. Click Source.
      4. Copy and Paste the following into the editor and save:

        ```
        function test() {
        console.log("notice the blank line before this function?");
        }
        ```

  2. Create HTTP Event Collector (HEC) Token Creation.
    1. From the Settings menu, select Add Data.
    2. Select Monitor, and then in the left pane, select HTTP Event Collector. The right pane populates with fields for HEC end point.
    3. In the Name field, enter a name for the token that describes its purpose and that you will remember.
    4. Click Next. The Input Settings page displays.
    5. For Source Type, choose "Select" and input "aws-evidentio"
    6. For Index, choose "main"
    7. Click Review. Confirm that all settings for the endpoint are what you want. If you need to change settings, click the gray < button at the top of the page.
    8. If all settings are what you want, click Next. The success page loads and displays the token value that Event Collector generated. You can copy this token value from the displayed field and paste it into another document for reference later. See "About Event Collector tokens."
  3. Create the AWS Lambda Function.
    1. Log into your AWS Console and navigate to the Lambda Function service.
    2. Click Create a Lambda Function.
    3. In the Filter box, type in "splunk-logging" Click on the result.
    4. Give your Lambda function a name; suggest using "GetDataFromEvidentio"
    5. Encrypt your Splunk HEC token using the AWS CLI tools and the KMS key generated per the video reference link in #3 (aws kms encrypt.)
    6. By default, the function will generate 5 Splunk events per invocation. It is recommended to modify the function to fit your needs.
  4. Configure the Evident SNS Integration.
    1. Create a topic in the AWS Management Console per the instructions in the integration reference.
    2. Create a cross-account policy that allows ESP to publish SNS notifications to that topic per reference.
  5. Go to your AWS SNS topics and subscribe your Lambda function to the topic collecting data from Evident.io.
    Note: If this is a new SNS topic, you may wish to subscribe an email address to it first to make sure the path from ESP to the SNS topic is working correctly before adding the Lambda function.