Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Integrate Splunk with Mist Webhooks

Splunk can be hosted in the cloud or on-premise. If you are running managed Splunk Cloud, you will need to raise a ticket with your Splunk support to have HEC configured. For self-service Splunk, or Splunk Enterprise (on-premise) the following instructions help you configure HTTP Event Collection (HEC) to receive webhooks from Mist.

HEC is a method by which Splunk can receive an HTTP POST request that includes a payload of data. This enables cloud services like Mist to send data to Splunk using webhooks. Webhooks requires IP reachability from the Mist Cloud to your Splunk instance. In other words, you need a publicly accessible URL for your Splunk server with the HTTP port open.

Configuring HEC in Splunk

  1. In your Splunk GUI, go to Settings } Data Inputs.
  2. Go to HTTP Event Collector } Add New.
  3. Provide a Name, and Source Name Override.

    If your organization uses Splunk Output Groups, select the appropriate output group. Otherwise, ignore the Output Group selection.

  4. Click Next.
  5. Configure the following fields:
    1. For the Source type, click the Select button and select _json from the menu.
    2. For the App context, click the Search & Reporting tab.
    3. For the Index, select network from the Available items list.
      You can use an existing index type as we have done in the example, or you can create your own.
  6. Click Review.
  7. Verify the settings and click Submit.
  8. Record the Token Value. You will need this for the Mist Webhook configuration.
  9. Navigate back to Settings } Data Inputs } HTTP Event Collector.
  10. Click Global Settings in the upper right corner.
  11. Specify the default Source type as _json.

    Port 8088 is the default. You can specify a default index if needed.

    This completes the HEC setup in Splunk.
  12. You can test the Splunk HEC configuration by executing the following command in a Linux CLI. The Linux machine must be able to reach the Splunk instance over the network.

The result of the previous step should look similar to: {“text”:”Success”,”code”:0}. If you do not see a success message, confirm that there are no firewalls blocking the HEC port on the Splunk instance.

Configuring Mist Webhooks to Point to Your Splunk Instance

Before you Begin

You must have the following information ready so that you can complete the Mist configuration:

  • The FQDN of your Splunk HEC instance
  • The port number HEC is listening on (Default is 8088)
  • Your Splunk HEC Token

You can configure webhooks in Mist at either the Org level, or the Site level. For this example, we configure an Org level webhook and the topics we will be subscribing to will be “audits”, “alarms”, and “device-events”.

  1. Log in to the Mist portal for your organization.
  2. Navigate to Organization } Settings and copy your Organization ID.
  3. Navigate to https://api.mist.com/api/v1/orgs/:org_id/webhooks.
    Note:

    You must substitute your real Organization ID for "org_id" in the URL above.

  4. In the following JSON code block, make the following substitutions:
    • Substitute the fully qualified domain name (FQDN) of your Splunk instance for {FQDN of SPLUNK}

    • Substitute the port on which your Splunk instance is listening for {PORT}

    • Substitute your actual Splunk token for {SPLUNK TOKEN}

  5. After substitution, copy the entire block of JSON and paste it into the Content box at the bottom of the page.
  6. Click the POST button when you're ready.
You can now verify the configuration is in the top field of the window and that the id field contains data.

This confirms that Mist and Splunk can communicate.