Skip to main content
All CollectionsWorkspace monitoring
Export analytics data from Cerby to Splunk
Export analytics data from Cerby to Splunk

This article describes how to set up the integration to export analytics data from Cerby to Splunk.

Cerby Team avatar
Written by Cerby Team
Updated over a week ago

With Cerby, you can export the analytics data of your workspace to a security information and event management (SIEM) solution like Splunk via an integration. This is a feature that customers can request to be enabled by the Cerby Customer Support team.

The integration leverages an HTTP Event Collector, where Cerby exports the logs of analytic events in JSON format every minute as long as Cerby has registered events. The Appendix: Analytic events format section details the JSON object structure.

NOTE: Email your request to enable this feature to the Customer Support team at support@cerby.com. You must also send a URI as part of step 1. Create and set up an HTTP Event Collector in Splunk.

This article describes how to set up the analytics data export to Splunk.

Set up the analytics data export to Splunk

To set up the export of the analytics data that Cerby registers and stores for a workspace, you must complete the following main steps:

  1. Create and set up an HTTP Event Collector in Splunk

  2. Search for Cerby analytic events via the Splunk Search app

The following sections describe each main step.

1. Create and set up an HTTP Event Collector in Splunk

To create and configure an HTTP Event Collector in Spunk, complete the following steps:

  1. Create a Splunk HTTP Event Collector for receiving events by following the corresponding instructions in the Getting Data In official documentation.

    IMPORTANT: When creating the Event Collector token, make sure the Enable indexer acknowledgement checkbox is disabled.

  2. Share the HTTP Event Collector token and URI with the Cerby Customer Support team. The following is an example of the URI: https://demouri.splunkcloud.com:8088/services/collector/event.

    The URI is provided by the Splunk system and may contain a port. Make sure you share the port, if applicable, to prevent issues receiving the events.

The next step is 2. Search for Cerby events via the Splunk Search app.

2. Search for Cerby analytic events via the Splunk Search app

To search for Cerby analytic events using the Splunk Search app, follow the instructions in the Search Tutorial official documentation.

Now you’re done with the setup.

Appendix: Analytic events format

The following is an example of the JSON object with the analytic events that Cerby sends to Splunk. The object contains a description of each key-value pair.

{
    "timestamp":<Unix timestamp of the event>,
    "date": <event data in ISO format>,
    "eventName": <name of the event>,
    "user_id": <user whose action triggered the event>
    "accountName": <name of the account related to the event, when applicable>,
    "accountProvider": <provider of the account related to the event, when applicable>,
    "city": <event source city>,
    "region": <event source state/region>,
    "country": <event source country>,
    "ip": <event source IP>,
    "deviceName": <device type, for example, Mac, PC, and smartphone>,
    "browserName": <name of the browser>,
    "browserVersionMajor": <browser version>,
    "userAgent": <browser user agent>,
    "workspace": <customer workspace name>
}
Did this answer your question?