When integrating a new application with your BetterCloud instance, the overall installation process is consistent. However, each integration is different, and may require varying levels and types of authentication. This article provides instructions for configuring and collecting all the information you need in order to add the Splunk integration in BetterCloud.
BetterCloud integrates with Splunk’s HTTP Event Collector in order to send information from your BetterCloud instance to your Splunk account. When adding this integration you must enter the following information:
- API Token
- HECURI (base URL)
*Please Note: This integration will only function for domains using Splunk Cloud. We cannot currently integrate with on-prem Splunk instances.
Creating a valid API token will first require you to configure Splunk’s HTTP Event Collector. To start, login to Splunk and navigate to “Settings” > “Data inputs” from the top right corner of your page.
Select “HTTP Event Collector.”
If you have not yet enable the event collector, you will need to do so under the “Global Settings” option.
Enable all tokens.
Once the event collector has been enabled, you will need a token to authorize BetterCloud to interact with it. Click “New Token” to create a token.
Name your token. All other fields aside from name are optional.
In the token’s input settings, select “_json” as your source type, as BetterCloud will send information to Splunk in JSON.
Review your information and click “Submit.”
Once the token has been successfully created, you will be presented with the token value. Copy this value into the API key field.
You can also retrieve this value from the HTTP Event Collector configuration page at any time.
In order to finalize your configuration, you must add the base URL for your Splunk instance as an additional header. Part of this URL can be found in the highlighted portion of your URL after you login to Splunk.
After noting that URL, you must add the following string at the beginning of the URL: “https://hec.”, and the following string at the end: “/services/collector/event”. In the example above, the final URL will be https://hec.demobettercloud.com:8000/services/collector/event.
Once you have successfully added the integration, you can update your API token from the integration’s basic information. Your base URL will be added as an encrypted environment variable.
Configure what events gets sent to Splunk
Once you've entered the variables above and clicked "Save", you will need need to configure the Integration's "Send Data to Splunk Cloud" Action to tell BetterCloud which logs to send to Splunk.
To configure this Action, navigate to the "Extensions" tab inside your new Splunk Integration and select the "Send Data to Splunk Cloud" Action:
Inside that Action, select the Push Events you want to be sent to Splunk. Then under "Test your Push Event", select an event type and click "Run Test" to confirm BetterCloud can successfully push an event to Splunk:
If your test was successful, you will be able to "Save" the configuration!