# Events to Splunks

## Overview <a href="#overview" id="overview"></a>

Support Application collects and sends information to the BlueFletch Portal to help organizations leverage mobile business intelligence for informed, data-driven decision-making. However, some organizations may have specific data collection and management requirements, such as GDPR compliance for EU customers. In such cases, organizations may choose to use third-party tools like Splunk for data collection and management, which can be more scalable and offer additional features.&#x20;

To facilitate integration with Splunk, the Events to Splunk feature provides a method of sending events directly from the device to the desired Splunk instance via the HTTP Event Collection endpoint. This allows organizations to analyze device data using their preferred tools and services while maintaining compliance with GDPR regulations.

## User Guide

1. To enable the Events to Splunk feature, you need to configure the following basic values:&#x20;

* ignoreSSLCerts: Set to True to bypass SSL Cert issues with Splunk
* splunkUrl: Splunk Host / Port to send event data
* splunkAuthToken: HEC authorization token
* splunkApiPath: Collector path, typically services/collector/raw
* splunkApiLogPath: Collector path for device log submission&#x20;
* splunkLogAuth: Authorization token for application log submission&#x20;

2. Once the feature is enabled, the Support Application will start sending event data to Splunk. The event data will be stored in Splunk in a format that can be easily analyzed.

## Feature Configuration

To set up Events to Splunk for a particular device profile or device group, please follow the steps below:

### Bypassing SSL Certificate Issues

To enable the Events to Splunk feature, add a ignoreSSLCerts configuration section in the Support Application JSON file. Setting the value to true will bypass any SSL Certificate issues when sending events to Splunk:

```json
{
      ...
    "emsSupportTool" : {
        ...
        "ignoreSSLCerts": true
    }
     ...
}
```

### Setting Up the Event Data Location

To configure the exact location Splunk instances should be sent, specify the host and port as shown below:

```json
{
      ...
    "emsSupportTool" : {
        ...
        "splunkUrl": "https://input-prd-p-xq37wf7l8c7l.cloud.splunk.com:8088"
    }
     ...
}
```

### Setting Up the HEC Authorization Token

To enable sending event data to Splunk, define the authorization token to enable sending event data to Splunk using the HEC endpoint. Use the example configuration below as a guide:

```json
{
      ...
    "emsSupportTool" : {
        ...
        "splunkAuthToken": "adkkdkd-043c-4936-8f1b-1askldsakl"
    }
     ...
}
```

### Configuring the API Path

To send Splunk instances to the defined HEC endpoint, enter the API path that Support Application has to use:

```json
{
      ...
    "emsSupportTool" : {
        ...
        "splunkApiPath" : "services/collector/raw"
    }
     ...
}
```

### Configuring the API Log Path and Log Authorization

To enable sending log files to Splunk, define the values of the API log path and log auth. Use the example configuration below as a guide:

```json
{
      ...
    "emsSupportTool" : {
        ...
        "splunkApiLogPath" : "splunkTestService/collector/raw",
        "splunkLogAuth" : "2E9D939B-F63E-41E4-8E5E-60AEF8B361A0",
    }
     ...
}
```

### Putting It All Together <a href="#putting-it-all-together-9" id="putting-it-all-together-9"></a>

For the example described above, the full configuration for Events to Splunk is as follows:

```json
{
      ...
    "emsSupportTool" : {
        ...
        "ignoreSSLCerts": true,
        "splunkUrl": "https://input-prd-p-xq37wf7l8c7l.cloud.splunk.com:8088",
        "splunkAuthToken": "adkkdkd-043c-4936-8f1b-1askldsakl",
        "splunkApiPath" : "services/collector/raw",
        "splunkApiLogPath" : "splunkTestService/collector/raw",
        "splunkLogAuth" : "2E9D939B-F63E-41E4-8E5E-60AEF8B361A0",
    }
     ...
}
```

{% hint style="info" %}
Events to Splunk was introduced in Support Application 5.4.4.
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.bluefletch.com/bluefletch-enterprise/product-guides/support-application/features/events-to-splunk.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.