AppNeta Observer and Splunk Integration
search cancel

AppNeta Observer and Splunk Integration


Article ID: 263972


Updated On:




How do we integrate AppNeta's observer feature with Splunk?  We'd like to integrate the two.


Splunk Setup

Determine the following:

  1. The URL for the specific Splunk server HEC raw events. It will be in the form

  2. Under Settings > Data Input, select + Add New HTTP Event Collector

  3. Assign a new name, fill in any optional value, and select next

  4. Set up source type, Select > Structured > _json (you might need to type it to get it to appear) and appropriate indexes, and then select Review

  5. Review your selections and select Submit
  6. Save the token value presented next for use later. (It can also be found later in the HTTP Event Collector section)

Note: Extensive testing of the above setup wasn’t completed. It’s possible that other setups and configurations also work.

Generate a unique UUID

  1. Create a version 4 UUID and save the results for later

    Configure the AppNeta Observer API setup.

    Using the values generated before, set up the Observer API, with the appropriate event configuration. Note the keyword “Splunk” added to the Authorization value.

        "name": "Splunk customer raw feed",
        "url": "",
        "testEvents": false,
        "seqEvents": false,
        "sqaEvents": true,
        "webAlertEvents": true,
        "networkChangeEvents": false,
        "headers": [
            "name": "Authorization",
            "value": "Splunk 86bfba07-XXXX-XXXX-XXXX-XXX67951a6fb"
            "name": "X-Splunk-Request-Channel",
            "value": "aaf27xxx-xc67-4ex-xxxx-xxxxd5587aee"
        "blacklisted": false


Splunk is able to parse the JSON, even as raw data, and provide meaningful results.



Additional Information

AppNeta Even Integration: