Offloading analytics data to Splunk

Configure analytics to offload data to Splunk Cloud Platform.

Before you begin

To configure the analytics data offload, you must be assigned the following permissions in the provider organization.

  • api-analytics - view
  • api-analytics - manage

Procedure

  1. Create an event index at Splunk to store your data.
    Note: If you use an existing index, skip this step.
    1. Log in to Splunk.
    2. Click Settings.
    3. On the Settings page, under the Data section, click Indexes.
    4. On the Indexes page, click New index.
    5. For the next index, specify the following settings and then click Save.
      • Index name - Provide a name for the new index.
      • Index data type - Select Event.
      • Max raw data size - Specify a value and unit of measurement, making sure that the index has an adequate data size to hold the offloaded data.
      • Searchable retention (days) - Set the retention period to the number of days' worth of data that you want to be able to search.

      For more information on creating an event index, see Create a Splunk Cloud Platform event index in the Splunk Cloud Platform Admin Manual.

  2. To configure the HTTP event collector (HEC), complete the following steps.
    1. Click Settings.
    2. On the Settings page, under the Data section, click Data Inputs.
    3. On the Data Inputs page, click HTTP Event Collector.
    4. On the HTTP event collector page, click Global Settings.
    5. On the Global Settings page, specify the following settings and then click Save.
      • All Tokens - Click Enabled.
      • Enable SSL - Click the checkbox to enable SSL.
      • HTTP Port Number - Specify the HTTP port number (or accept the default value); note the port value for later.

    For more information on configuring the HTTP event collector, see Set up and use HTTP Event Collector in Splunk Web topic in the Splunk Cloud Platform documentation.

  3. To create a token for the HEC, complete the following steps.
    1. Click Settings.
    2. On the Settings page, under the Data section, click Data Inputs.
    3. On the Data Inputs page, in the "HTTP Event Collector" row, click Add New.
    4. On the Add Data page, select HTTP Event Collector.
    5. Specify the following settings and then click Next.
      • Name - Provide a name for the new HEC token.
      • Description - Provide a description for the token.
      • Enable indexer acknowledgment - Click the checkbox to enable indexer acknowledgment.
    6. On the Input Settings page, look in the "Index" section and select the index that you use for storing analytics data (created in step 1), and then click Review.
    7. On the Review page, click Submit to generate the HEC token.
    8. On the "Token has been created successfully" confirmation page, copy, or note down the Token Value.
  4. To configure Analytics data offload in API Connect Enterprise as a Service, complete the following steps.
    1. Open your API Connect service instance.
    2. Click Analytics > Offload settings.
    3. Select Splunk as your storage type and provide the following information.
      • Index - Provide the name of the Splunk index that stored the offloaded Analytics data (configured in step 1.)
      • HEC token - Type or paste the token value that you noted in step 3.
      • HEC URI - Provide the location of the Splunk index in the following format: https://<splunk-host>:<port> where <splunk-host> is the host and domain of your Splunk account and <port> is the HEC port that you specified in step 2. For example, https://prd-p-2dc3q.splunkcloud.com:8088.
    4. Click Save.

    Configuring analytics offload settings takes approximately 15 minutes to finish. The Offload configured message displays after the configuration is complete.