Product DocumentationVersion 9.1+ Documentation
HYPR User GuidePostman APILegacy WFALegacy SDK

Event Hook: Splunk

HYPR Control Center Standard: Integrations

Adding Splunk event hooks allows HYPR-enabled sites to gather and interpret HYPR Events using their own Splunk installation, rather than using HYPR's. By adding an HTTP Event Collector in Splunk and using its API key to enable HYPR CC's connection, you are able to tailor the output to best suit your needs.

HYPR Events are grouped using the eventTags parameter (AUTHENTICATION, REGISTRATION, ACCESS TOKEN, etc.). Custom Event Hooks can also be created for more specific data.

What You'll Need

  • An administrator account for Splunk
  • An administrator account for Control Center
  • If it is not already enabled, contact HYPR Support to enable Splunk Event Hooks for the RP application that you wish to monitor

Setting Up Splunk

Splunk must be configured with an HTTP Event Collector that will communicate with Control Center.

  1. Login as an administrator to the Splunk Cloud console.

  2. In the top menu, open Settings -> Source types under the DATA subheading.

  3. In the Source Types pane, click Create Source Type. Complete the fields as shown in the table below, then click Save when finished.

    FieldValue
    NameIn this example is it httpevent_kvp, but it can be anything descriptive.
    Description(optional)
    CategoryCustom
    Indexed extractionsnone
    Event Breaks: Event-breaking policyRegex
    Pattern(?:\[rnt]|:")(?<_KEY_1>[^="\]+)=(?:\")?(?<_VAL_1>[^="\]+)
    Timestamp(not used)
    Advanced(not used)
  1. In the top menu, open Settings -> Data Inputs under the DATA subheading.
  2. In the Data Inputs pane, click HTTP Event Collector.
  1. In the upper right of the HTTP Event Collector pane, click New Token.
  1. Name your token, then click Next.
  1. On the Input Settings pane:
    • Set the Source Type to Select; in the drop-down that appears, choose httpeventkvp (or whatever you named your Source Type earlier)
    • Select Allowed Indexes by double-clicking the ones you want to copy into the Selected item(s) pane
    • Click Review when you are satisfied
  1. Review the HTTP Event Collector (HEC) values you entered, then click Submit.
  1. A confirmation screen appears. Copy the Token Value for use in Control Center.
  1. Return to Settings -> Data Inputs -> HTTP Event Collector and you will not see your new HTTP Event Collector listed with its token value listed.
  1. Note the subdomain value in your Splunk URL; for example, in hypr.splunkcloud.com, it would be hypr.

Connecting Splunk to HYPR

You will need the HTTP Event Collector token and the Splunk URL subdomain to proceed.

  1. Login to HYPR Control Center as an administrator.
  2. In the left navigation menu, click Integrations.
  3. On the Integrations page, click Add New Integration. CC displays available integrations.
  1. Click the tile under Event Hooks for Splunk.
  1. Click Add New Event Hook.
  2. On the Add New Event Hook dialog, complete the fields as follows:
FieldValue
Event NameType a unique label to identify the Event Hook.
Event TypeSelect an Event Type to monitor.
ADMIN | ALL | AUTHENTICATION | DEREGISTRATION | MAGIC_LINK | OFFLINE_ACCESS | REGISTRATION | SMART_KEY | WEB_REGISTRATION
Cloud ProviderSplunk Cloud | Google Cloud
HEC HostThe subdomain value from the Splunk URL.
API KeyThe Token Value from the Splunk HTTP Event Collector.
  1. Click Add Event Hook when you are satisfied. CC returns to the Splunk Event Hooks page.

Interpreting Splunk Event Hook Entries

The Splunk Integration Event Hooks table displays values for the available Splunk Event Hooks.

FieldDescription
NameThe unique name of the Event Hook.
Event TypeThe eventTags value associated with the Event Hook.
ADMIN | ALL | AUTHENTICATION | DEREGISTRATION | MAGIC_LINK | OFFLINE_ACCESS | REGISTRATION | SMART_KEY | WEB_REGISTRATION
EndpointThe location of the desired endpoint on the Splunk server.
Auth TypeAPI_KEY | BASIC | OAUTH_CLIENT_CREDENTIALS
HTTP MethodDELETE | GET | HEAD | OPTIONS | PATCH | POST | PUT
Connection StateAUTHORIZED | AUTHORIZING | CREATING | DEAUTHORIZED | DEAUTHORIZING | DELETING | UPDATING
Destination StateACTIVE | INACTIVE
Actions
(Hover on Options)		Edit | Delete
See Editing HYPR Splunk Event Hooks and Deleting HYPR Splunk Event Hooks for how to perform these actions.

Clicking the name of the Event Hook will open a pane with additional information about the entry:

FieldDescription
Auth ParamsThe .JSON payload for authentication parameters.
Connection State ReasonThe reason that the connection is in the connection state.

Clicking Back to Splunk returns you to the Splunk Event Hooks page.

Editing HYPR Splunk Event Hooks

  1. On the Splunk Integration Event Hooks table, on the right side under Actions, click Options-> Edit for the Event Hook you wish to modify.
  1. The Event Hook Details dialog opens. Make changes as needed using the values given in Connecting Splunk to HYPR, Step 6, above.
  2. Click Save to return to the Event Hooks page.

Deleting HYPR Splunk Event Hooks

  1. In the Splunk Integration Event Hooks table, on the right side under Actions, click Options-> Delete for the Event Hook you wish to remove.
  2. The Delete Event Hook dialog opens. Click Delete to remove the event hook.
  1. A dialog appears confirming the Event Hook was deleted. CC returns to the Event Hooks page.

πŸ‘

Housekeeping

You may also wish to delete the HTTP Event Collector from Splunk if it is not used by any other systems.

Viewing HYPR Event Data in Splunk

When you go into Splunk to view a report on HYPR Events, the parameters associated with the data field will be broken out in the left pane under INTERESTING FIELDS. Drill into them for details about the parameters as they occurred in a given HYPR Event.

See Event Descriptions: Event Parameters for a full rundown on all Event parameters and their values.

Updated 5 months ago