Integration with Splunk
Overview
The Splunk Enterprise SIEM integration enables organizations to stream MangoApps platform events directly into Splunk for centralized security monitoring, analytics, and compliance auditing.
With this integration, MangoApps pushes key account and system activity events to a Splunk HTTPS Event Collector (HEC) endpoint, allowing IT teams to correlate MangoApps activity with events from other enterprise systems.
This capability is especially useful for organizations that rely on Splunk for security monitoring, compliance reporting, and operational analysis.
How the Integration Works
The integration uses a MangoApps Push Agent to send platform activity events to a Splunk HTTPS Event Collector (HEC) endpoint.
Event Flow
User activity occurs in MangoApps.
MangoApps records the event internally.
The Splunk Push Agent collects eligible events.
Events are sent to the Splunk HEC endpoint.
Splunk ingests and indexes the events for monitoring and analytics.
Events are delivered using NDJSON format (newline-delimited JSON) where each line represents a separate event.
The system also supports cursor-based pagination for event delivery to ensure reliable event processing.
Prerequisites
Before configuring the integration, ensure you have:
A Splunk Enterprise or Splunk Cloud instance. For information on setting up and using the HTTP Event Collector in Splunk Web, click here.
HTTPS Event Collector (HEC) enabled in Splunk
A valid HEC authentication token
Access to the MangoApps Admin Portal
Network connectivity allowing MangoApps to reach the Splunk HEC endpoint
MangoApps Configuration
Step 1: Open Built-In Integrations
Log in to MangoApps Admin Portal and navigate to: Admin Portal → Integrations → Built-In Integrations.
Select the Splunk Integration
Step 2: Enter Splunk Connection Details
Enable the Splunk HEC Push Agent and enter the Splunk connection details. The push agent is responsible for automatically transmitting events to Splunk at a defined interval.
Provide the required connection settings:
Name
Name for the integration
Splunk Endpoint URL
Splunk HTTPS Event Collector endpoint
Enable SSL
Enable if the endpoint requires SSL
HEC Token
Authentication token from Splunk
Default Index
Splunk index where events will be stored
Source Type
Splunk source type identifier
Host
Identifier used by Splunk to identify MangoApps
These values correspond to configuration parameters required by Splunk for event ingestion.
Step 3: Configure Event Push Frequency
Choose how frequently MangoApps pushes events to Splunk.
Available options:
Every 5 minutes
Every 10 minutes
Every 30 minutes
Every 1 hour
Up to 24 hours
Shorter intervals provide more real-time monitoring but increase event traffic.
Step 4: Save the Configuration
Click Save to activate the integration.
Once enabled, MangoApps begins pushing events to Splunk according to the configured schedule.
Splunk Configuration Details
HEC Configuration Details
Endpoint: https://your-splunk-host:8088/services/collector
Headers: Authorization: Splunk <HEC_TOKEN> Content-Type: application/json
Optional Header: X-Splunk-Request-Channel:
MangoApps Configuration:
Endpoint URL
HEC Token
Default Index
Source Type
Source
Host
Push Frequency (5 min – 24 hrs)
Push Behavior:
Scheduled push (default ~10 minutes)
Not real-time
TLS Requirements:
HTTPS required
TLS 1.2+
Valid SSL certificate required
Sample Event Payload
Deleting the Integration
To delete the integration, navigate to Admin Portal → Integrations → Built-In Integrations → Splunk → Setup.
Click Delete at the bottom of the integration, then confirm the action in the pop-up. This action cannot be undone once confirmed.
Events Sent to Splunk
The current integration focuses on security, authentication, and user lifecycle events.
Authentication & Access:
Login
Logoff
Unauthorized Access
Access from New Location
Account Lifecycle:
Account Creation
Account Deletion
Account Suspended
Account Locked Out
Security & Permissions:
Password Reset
Role Changes
Only these 10 events are forwarded to Splunk; this excludes all content and activity events. The retention period for this information is 90 days.
These events provide the necessary telemetry for organizations to monitor access and detect suspicious activity.
Viewing Splunk Integration Logs in MangoApps
Administrators can review the events that MangoApps sends to Splunk.
To access the logs, navigate to Admin Portal → Home → Logs → Splunk Logs
The Splunk Logs page allows administrators to:
Search logs by keyword
Filter by event type
Filter by date range
These logs show the events that were pushed to Splunk and confirm whether event delivery occurred successfully.
Security and Data Protection
This integration is designed to prevent sensitive data exposure.
Key safeguards include:
No passwords, tokens, or secrets are included in event payloads
Only security-relevant event metadata is transmitted
Event logs exclude sensitive authentication information
This ensures the integration remains compliant with enterprise security standards.
Troubleshooting
Events Not Appearing in Splunk
Verify the following:
HEC endpoint URL is correct
HEC token is valid
SSL settings match Splunk configuration
Firewall rules allow outbound traffic to Splunk
Push frequency interval has elapsed
Connection Issues
Check the Splunk Logs in MangoApps to identify:
Authentication failures
Endpoint connectivity errors
Delivery failures
Best Practices
Use a 5–10 minute push interval for security monitoring.
Store MangoApps events in a dedicated Splunk index.
Create Splunk dashboards for:
Login activity
Role changes
User lifecycle events
Set alerts for unusual login patterns or privilege changes.
Last updated
Was this helpful?