Splunk Setup

Determine the following:

1. The URL for the specific Splunk server HEC raw events. It will be in the form

   https://<Your Splunk Server .server.com> :8088/services/collector/raw

2. Under Settings > Data Input, select + Add New HTTP Event Collector

3. Assign a new name, fill in any optional value, and select next
   
   
   
   

4. Set up source type, Select > Structured > _json (you might need to type it to get it to appear) and appropriate indexes, and then select Review
   
   
   
   
5. Review your selections and select Submit
6. Save the token value presented next for use later. (It can also be found later in the HTTP Event Collector section)
   
   

Note: Extensive testing of the above setup wasn’t completed. It’s possible that other setups and configurations also work.

Generate a unique UUID

1. Create a version 4 UUID and save the results for later
   
   
   

   Configure the AppNeta Observer API setup.

   Using the values generated before, set up the Observer API, with the appropriate event configuration. Note the keyword “Splunk” added to the Authorization value.

   [
     {
       "name": "Splunk customer raw feed",
       "url": "http://<Your splunk.server.com >:8088/services/collector/raw",
       "testEvents": false,
       "seqEvents": false,
       "sqaEvents": true,
       "webAlertEvents": true,
       "networkChangeEvents": false,
       "headers": [
         {
           "name": "Authorization",
           "value": "Splunk 86bfba07-XXXX-XXXX-XXXX-XXX67951a6fb"
         },
         {
           "name": "X-Splunk-Request-Channel",
           "value": "aaf27xxx-xc67-4ex-xxxx-xxxxd5587aee"
         }
       ],
       "blacklisted": false
     }
   ]

Results

Splunk is able to parse the JSON, even as raw data, and provide meaningful results.