Before creating an integration using Integration Hub, we recommend reading through the following articles to get started.
Setting up the Splunk Event Collector
Before you begin with configuring the Splunk Integration within Cyara, Splunk needs to be correctly setup. Read our detailed Event Collector Setup instructions before you begin building the Splunk Integration in Cyara.
Creating a Splunk Integration
Splunk is a platform monitoring tool that can be used to monitor various Cyara platform components, such as Pulse Dashboards.
To build an integration with Splunk, follow the steps below.
- Login to your Cyara Portal.
- Click on Tools > Integrations. (If this menu does not appear in the Tools menu, confirm that the user account you're currently logged into is provisioned to use the Integration Hub).
- Click the New Integration button.
- Select Splunk from the Type dropdown menu.
- Enter a Name and a Description for the integration.
- Select an Impersonation User to access the Cyara REST API (For more information on how these users are configured, read the "Adding an Impersonation User" article).
- Select which Dashboard should be used as the source of monitoring data to push to Splunk. To push all your Pulse results choose the Global Dashboard. Results will be sent to Splunk as soon as results are recorded.
- Enter the Splunk API Url for your Splunk environment, and an associated Authorization Token to access your Splunk Event Collector (see document about setting up an Event Collector in Splunk).
- Click the New Event Field button and you will be prompted to enter a Field Name and Field Value.
- The Field Name will be attached to the event when pushed to Splunk.
- The Field Value can either be a constant or a template for the event field. See below for a list of Event Field Variables.
- Enter the Event Fields that you want to push to Splunk, once each has been entered click the Save Details button.
- Once the Integration has been saved, enable it by setting the toggle in the top right of the integration editing screen to Enabled.
Splunk Field Mapping Example
Below is an example field mapping that includes multiple Event Field Templates.
Field - Text
Value - Test case '$TestCaseName' completed '$Result'. View the full results at $Url
In this example, when an example Test Case named "Test1" in Cyara completed successfully the Text field in the generated Splunk event would populate with the following:
"Test case 'Test1' completed 'Successfully'. View the results at /Cyaraportal/
Log Aggregator Field Variables
The following table shows possible template values of fields to be pushed to Splunk. These fields can also use a static value instead of a template. A template can contain one or more replacement variables from the table below:
|$Url||The Url to the Portal Detailed Result page|
|$ResultCategory||Test Result Category|
|$ServiceName||Service Group Name|
|$StepDescription||Failed Step Description|
|$StepNo||Failed Step No|
|$TestCaseDescription||Test Case Description|
|$TestCaseName||Test Case Name|
|$TestCaseNotes||Test Case Notes|
|$FullTestResult *||The full Test Result in json (failed only)|
* Note : The $FullTestResult variable can not be used in the same field as other variables. It must be used in it's own field.