Introduction
From infrastructure management to data compliance, Splunk Cloud is built to scale to your data analytics needs, ranging from GBs to PBs and beyond. Read more about Splunk cloud here. This integration with Splunk Cloud enables you to push performance and alert data the moment it iss recorded. It relies on Catchpoints two push APIs: Test Data Webhook, and Alert Webhook. Test Data Webhook API pushes each test performance metric after every run when it is enabled. Alert Webhook API pushes alert data the moment an alert trigged. The data is sent via HTTP Event Collector (HEC) in Splunk over Secure HTTP (HTTPS). HEC uses a token-based authentication model. You can generate a token and then configure a logging library or HTTP client with the token to send data to HEC in a specific format.
Prerequisites
- Splunk Cloud account.
Installation and Configuration
**Splunk Setup
Create an Event Collector token
To use HEC, you must configure at least one token. On Splunk Cloud instances, the platform distributes the token across the deployment. The token is not ready for use until distribution has completed.
- Click Settings > Data Inputs.
- Click HTTP Event Collector.
- Select New Token.
- In the Name field, enter a name for the token.
- (Optional) In the Source name override field, enter a name for a source to be assigned to events that this endpoint generates.
- (Optional) In the Description field, enter a description for the input.
- Click Next.
- (Optional) Make edits to source type and confirm the index where you want HEC events to be stored. See Modify input settings.
- Click Review.
- Verify the settings are as per your use case.
- Click Submit. Otherwise, click < to make changes.
- Copy the token value that Splunk Web displays and paste it into another document for reference later.
URI for HEC.
The standard form for the HEC URI in Splunk Cloud is as follows:
<protocol>://http-inputs-<host>:<port>/<endpoint>
Attributes of URI:
<protocol>is https.<host>is the Splunk Cloud instance that runs HEC, pre-pend the hostname with 'http-inputs-'.<port>is the HEC port number. use '443'.<endpoint>is the HEC endpoint, use '/services/collector'.
For example, if the hostname for your Splunk cloud is catchpoint.splunkcloud.com the format for the HEC URI in Splunk Cloud will be:
https://http-inputs-catchpont.splunkcloud.com:443/services/collector
Create Events indexes:
- In Splunk Web, navigate to Settings > Indexes and click New.
- To create a new index, enter: Name for the index: catchpoint-webhooks. Index data type: Events. App: Search and Reporting.
- Click Save
Catchpoint Setup:
To get Catchpoint data into Splunk, login into the Catchpoint Portal and go to Settings > API.
- In the Test Data Webhook add the Splunk cloud HEC endpoint.
- Select Template.
- Click Add New from the drop-down.
- Enter a name.
- Select JSON under format.
- Paste template content(Testdata-Webhook-Template.txt) from the attachment found along with this KB.
- Next for authentication with the Splunk server add the Authorization headers in Key -> value format. Key: Authorization. Value:
Splunk <Event – Collector -Token>.
- Click Save.
Note: Test Data Webhook feature should be enabled for each test to send metrics under the test properties page.
To get Catchpoint Aert data into Splunk, login into the Catchpoint Portal and go to Settings > API.
- In the Alert Webhook enter the Alert Webhook name according to your preference.
- Set status to Active
- For URL, add the Splunk cloud HEC endpoint.
- Select Template.
- Click Add New from the drop-down.
- Enter a name.
- Select JSON under format.
- Paste template content(Alert-Webhook-Template.txt) from the attachment found along with this KB.
- Click Save.
- Next for authentication with the Splunk server add the Authorization headers in Key -> value format: Key:
AuthorizationValue:Splunk <Event – Collector -Token>.
11. Click Save.
Implementation
Importing Dashboards:
- From Splunk home page under Apps select Search & Reporting
- Select Dashboards and click Create New Dashboard.
- Add title as Catchpoint - Overview. ID should be automatically assigned.
- Provide required permissions to the dashboard and select create dashboard.
- Now select Source and copy the contents of catchpoint_overview.xml file and select save.
- Repeat the same steps for Catchpoint - Recent Errors, Catchpoint - Test Times, Catchpoint - Response Size, and Catchpoint - Alerts.
Note: Make sure all the Dashboard names are the same as mentioned above for the drill-downs to work as expected.
Result
The catchpoint Overview Dashboard is your central location for the Catchpoint tests in your account. View at-a-glance information surrounding your recent Errors. The Tests widget lets you search for and quickly access your test data.
The Test Time dashboard focuses on displaying how much time was spent loading resources. It plots the metrics over time making it easier to identify trends.
The Response size dashboard plots the amount of data downloaded when loading each resource. This highlights the amount of content and the header's download size over time.
The Errors page lists all the errors encountered by tests. This page makes it easy to view the top issues as well as narrow down on problems to identify commonality between failures for any given test or group of tests.
The Alerts page allows you to view the history of all the alerts reported by Catchpoint.
Sample Query to Plot DNS, Connect, Load, Send, SSL, Wait
index="catchpoint-webhooks" | spath output=Connect path=Summary.Timing.Connect | spath output=DNS path=Summary.Timing.Dns | spath output=Load path=Summary.Timing.Load | spath output=Send path=Summary.Timing.Send | spath output=Ssl path=Summary.Timing.Ssl | spath output=Wait path=Summary.Timing.Wait | spath output=Client path=Summary.Timing.Client | spath output=TestName path=TestDetail.Name | spath output=NodeName path=NodeName | spath output=TestRuntime path=TestRuntime | eval Dimensions=TestName + "#" + NodeName | regex NodeName="^$NodeName$$"| regex TestName="^$TestName$$"| timechart cont=false span=1m latest(Connect) as Connect latest(DNS) as DNS latest(Load) as Load latest(Send) as Send latest(Ssl) as Ssl latest(Wait) as Wait latest(Client) as Client by Dimensions