Skip to main content
All CollectionsIntegrations
Data Push Destinations - Splunk (Beta)
Data Push Destinations - Splunk (Beta)
J
Written by Josh Peters
Updated over a week ago

Before you begin, please be aware the Splunk data push works well, but has a different retry mechanism than the other destinations. As a result, the Splunk data push does not go into the error state if there is an error. It will always show as running in the UXI dashboard whether it is successful or not. The Splunk integration is available for Beta testing and you can request to join the beta through support.

Data Push Destinations - Splunk (Beta)

Selecting the Splunk destination will send your test result data or issue data to your Splunk database. Each test result or issue will be represented as an event in Splunk. The data is sent from the UXI VPC located in AWS US-WEST-2. It is recommended to use either the Splunk cloud, Splunk AMI on AWS or other cloud provider. If your Splunk is on prem, it would require you to route the traffic accordingly. This integration has only been tested Splunk on 9.0.0, but should work on version 7.1 or better.

The UXI data push makes use of the Splunk HTTP Event Collector (HEC).

To get started, navigate to Settings -> Data Inputs.

Select HTTP Event Collector and select Add New.

On the next page, select New Token.

Give the token a name. It is also recommended to check the box for "Enable Index Acknowledgment". Keep all other default settings.

On the Input Settings, you may choose to create a new index or add data to an index. In this example we created a new index for events called “uxi”. Note the index you use, as you will need it later.

Review the settings, and when finished, click Submit.

On the next page you will be shown the token. Copy this down.

Next, go to the UXI Dashboard. Open Settings -> Integrations.

Under Data Push Destinations, select Add Destination.

Configure the data push for your Splunk database.

  • Data Type: Test Results or Issues

  • Destination Type: Splunk

  • Name: Give this integration a friendly name

  • URL: Enter the Splunk public URL

  • Port: Enter the Splunk HEC port. Usually, the Splunk HEC runs on port 8088

  • Index: Specify the index used for the Splunk HEC token.

  • Token: Paste the Splunk HEC token

  • Enable Index Acknowledgment: Toggle True or False depending on your token settings.

Click Submit

Wait a few minutes to ensure the data push destination remains in a running state. You should then be able to search your data in Splunk.

Example Splunk Searches

The following example searches can be used as tables and visualizations and can be saved to Splunk dashboards. In the examples, there are separate indexes for issues (uxi_issues) and test results (uxi_test_results).

Ongoing Issues:

To find which issues are ongoing, search your uxi issues index, deduplicate the results by uid, put the output in a table, and remove any rows with event_type "RESOLVED". 

index="uxi_issues" | dedup uid | table uid,timestamp,context.sensor_name,context.network_name,context.service_name,code,event_type | where event_type != "RESOLVED"

If you set the resulting time period to the last 7 days you can find which issues have been detected but are not yet resolved.

The result of the table would look like this.

Bar Chart for AP Association Time

To display a bar chart of AP associations over time, you may create a search over your test results index that looks like this:

index="uxi_test_results" code=AP_ASSOC | timechart avg(connect_time_milliseconds) by context.sensor_name

Under visualizations, if you select the bar chart, your results may look like this:

Average DNS Lookup Time for a Specific Network

To display a singular value, such as average DNS lookup time, you can use the example below to see results only for the SSID "Cape".

index="uxi_test_results" code=DNS_RESOLVE "context.network_name"="Cape" | stats avg(resolve_time_milliseconds)

Under visualizations, if you select the Filler Gauge, your results may look like this:

Average Download Speed

To display a singular value, such as average DNS lookup time, you can use the example below to see results only for the wired network "VLAN 10".

index="uxi_test_results" code="SPEED" "context.network_name"="VLAN 10" | eval speed_download_mbps=speed_download_bps / 1000000 | stats avg(speed_download_mbps)

Under visualizations, if you select the Radial Gauge, your results may look like this:

Did this answer your question?