Skip to main content

Cyara-Splunk Integration Overview

Daniel Haynes
  • Updated

Introduction

Cyara’s Pulse production monitoring solution has the ability to feed real-time information about the state of a set of Customer Experience journeys to Splunk and other similar tools utilized by IT departments.  This document is designed to guide Cyara clients through the overall process of establishing the feed of Pulse monitoring results to Splunk. Similar techniques can be applied to feeding Pulse data to other dashboarding, log aggregation and monitoring platforms.

At a high level, the setup steps are:

  1. Setup the Splunk Event Collector
  2. Install Cyara Integration Hub
  3. Install Splunk Integration Script on the Integration Hub
  4. Calculate the amount of information you want to Publish to Splunk
  5. Configure/Select a Cyara Pulse Dashboard to Publish to Splunk

Note: Before you begin, be aware that the Cyara-Splunk Integration setup requires a constantly active internet connection.

Architectural Overview

The Cyara-Splunk integration is delivered through the Cyara Integration Hub, a new component intended to enable multiple integrations with the Cyara Platform. Before proceeding with the instructions below, you need to first setup the Integration Hub following these instructions. That said, it may be useful to read through both documents before beginning the actual installation process.

mceclip0.png

Pulse Test Cases complete, triggering changes to any Dashboards that they were enrolled in.

  1. The Cyara Platform calls a webhook and instigates a refresh from the Integration Hub.
  2. The integration hub will pull a delta of changes since the last update and transform these using the script.
  3. A POST will be made to the Splunk Http Event collector.

mceclip2.png

A similar architecture will be available for clients running Splunk Enterprise on-premise.  The Integration Hub will be positioned on-premise alongside Splunk.

Splunk Event Collector Setup

Setting up an Event Collector

In this section we are going to setup a dedicated event collector to receive our data inputs from Cyara.  Within your Splunk Instance choose Settings > Data Inputs.  This page will detail the various inputs available to you.

The Http Event Collector is a generic collector that can receive data over HTTP(S).  Go ahead and choose the Add new option.

Configure the collector using the defaults shown.

This success screen will show a Token value that you will need later for posting events to your collector.  

By default the event collector is disabled and inaccessible to receive data externally.  To enable this navigate back to your Data Inputs section by clicking Settings > Data Inputs.  Click on the HTTP Event Collector link to navigate to your event collector list.

Click on Global Settings and choose Enabled, click on Save to persist these changes.

Splunk Integration Script

The base Cyara Integration Hub must be extended with a Splunk Integration Script.  From time to time, Cyara will provide updates when there are changes to any of the core packages or transformation scripts.  Full instructions will be provided on how these will be applied.

The following diagram details a single instance of an integration script that would run for a specific Dashboard.  The Splunk Integration and Cyara API boxes indicate scripts that we will provided via a module. Initially, updates to these modules will be supplied via a Cyara representative.

The blue box indicates a customizable script that can be used to transform the API results from Cyara into a document to record in Splunk.

mceclip1.png

Choosing the Data to Publish to Splunk

The Integration hub publishes information via JSON documents. As Pulse publishes monitoring results to a Dashboard, it also posts a document for each result to Splunk. 

You can choose to customize the document, adding or removing information as needed. You can choose whether you want to include the detailed result for all results, or just the failure summary. You can also refine the JSON document to only import the information you need.  Generally, there are two approximate sizes for a single event

  1. Failure Summary - 300 bytes for just the Dashboard alert 
  2. Detailed Result - 4kb for the complete detailed result

The total size of the Cyara data to be ingested by Splunk will depend on the frequency of your Pulse Campaigns.  For example, if you have a single Pulse Campaign that runs every 5 minutes which executes 4 Test Cases:

Failure Summary only

4 x 5 x 12 x 300 = 70 kb per hour

Full detailed result

4 x 5 x 12 x 4096 = 960 kb per hour

The image below gives an example of the data available for pushing into Splunk via a JSON document. 

Creating a Pulse Dashboard for Splunk

To control the scope of Pulse test cases and other related information being sent to Splunk, you should create a Pulse Dashboard for the new event collector configured above.

Create Dashboard Panels

You will then need to add two panels to the Pulse Dashboard, one will be a bar chart showing the aggregation of the results over time, the other will be a detail list of failures reported today.

First, you will need to create a column chart visualization. From your Dashboard click the Edit button and choose Add Panel. Click on the New section to expand a list of templates and then click on the Column Chart.  From the Time Range, choose Last 7 days and enter a descriptive title for your chart. The search string we will be using is:

source="http:cyara pulse monitoring" | timechart 
count(eval(status="error")) AS errors 
count(eval(status="satisfactory")) AS satisfactory 
count(eval(status="success")) AS successful | rename errors AS 
"Failed", satisfactory AS "Satisfactory" successful AS "Success"

This search query will create 3 series to chart, one for each of the available Test Results available.

Click on the Add to Dashboard button. 

To predefine what color each of the series will display we need to edit the Dashboard Source.  Click on the Edit button and choose the Source option. We need to add a new option in here for the series colors.  The new option is:

<option name="charting.seriesColors">[0xEE1236, 0xFF9E3B, 0x5CC242]</option>

Click the Save button once complete.

Next let’s create our failed events list for today.  Click on Edit option again and click Add Panel, choose New > Events. From the Time Range choose Today.  Create a Title of “Errors Reported Today” and a search string of:

source="http:cyara pulse monitoring" status="error"

This completes the setup of our Dashboard to feed data to Splunk.  Refer to your Splunk reports to inspect the data now being published there.

You can now configure the Splunk Integration within Cyara, read the Configuring a Splunk Integration for a walkthrough.

Related articles

Comments

0 comments

Please sign in to leave a comment.