# Integration with Splunk
### Overview
The **Splunk Enterprise SIEM integration** enables organizations to stream MangoApps platform events directly into **Splunk** for centralized security monitoring, analytics, and compliance auditing.
With this integration, MangoApps pushes key account and system activity events to a **Splunk HTTPS Event Collector (HEC)** endpoint, allowing IT teams to correlate MangoApps activity with events from other enterprise systems.
This capability is especially useful for organizations that rely on **Splunk for security monitoring, compliance reporting, and operational analysis**.
***
### How the Integration Works
The integration uses a **MangoApps Push Agent** to send platform activity events to a **Splunk HTTPS Event Collector (HEC)** endpoint.
#### Event Flow
1. User activity occurs in MangoApps.
2. MangoApps records the event internally.
3. The **Splunk Push Agent** collects eligible events.
4. Events are sent to the Splunk HEC endpoint.
5. Splunk ingests and indexes the events for monitoring and analytics.
Events are delivered using **NDJSON format (newline-delimited JSON)** where each line represents a separate event.
The system also supports **cursor-based pagination for event delivery** to ensure reliable event processing.
***
### Prerequisites
Before configuring the integration, ensure you have:
* A **Splunk Enterprise or Splunk Cloud instance**. For information on setting up and using the **HTTP Event Collector in Splunk Web**, click [here](https://help.splunk.com/en/splunk-enterprise/get-started/get-data-in/10.2/get-data-with-http-event-collector/set-up-and-use-http-event-collector-in-splunk-web#dbdcdb42_1180_4f33_8c7d_153a5e7868d3--en__Set_up_and_use_HTTP_Event_Collector_in_Splunk_Web).
* **HTTPS Event Collector (HEC)** enabled in Splunk
* A valid **HEC authentication token**
* Access to the **MangoApps Admin Portal**
* Network connectivity allowing MangoApps to reach the Splunk HEC endpoint
***
### MangoApps Configuration
#### Step 1: Open Built-In Integrations
Log in to **MangoApps Admin Portal** and navigate to: **Admin Portal → Integrations → Built-In Integrations**.
Select the **Splunk Integration**
***
#### Step 2: Enter Splunk Connection Details
Enable the **Splunk HEC Push Agent** and enter the Splunk connection details. The push agent is responsible for automatically transmitting events to Splunk at a defined interval.
Provide the required connection settings:
| Setting | Description |
| ------------------- | ----------------------------------------------- |
| Name | Name for the integration |
| Splunk Endpoint URL | Splunk HTTPS Event Collector endpoint |
| Enable SSL | Enable if the endpoint requires SSL |
| HEC Token | Authentication token from Splunk |
| Default Index | Splunk index where events will be stored |
| Source Type | Splunk source type identifier |
| Host | Identifier used by Splunk to identify MangoApps |
These values correspond to configuration parameters required by Splunk for event ingestion.
***
#### Step 3: Configure Event Push Frequency
Choose how frequently MangoApps pushes events to Splunk.
Available options:
* Every **5 minutes**
* Every **10 minutes**
* Every **30 minutes**
* Every **1 hour**
* Up to **24 hours**
{% hint style="success" %}
Shorter intervals provide more real-time monitoring but increase event traffic.
{% endhint %}
***
#### Step 4: Save the Configuration
Click **Save** to activate the integration.
Once enabled, MangoApps begins pushing events to Splunk according to the configured schedule.
***
### Splunk Configuration Details
#### HEC Configuration Details
Endpoint:
Headers: Authorization: Splunk \ Content-Type: application/json
Optional Header: X-Splunk-Request-Channel:
MangoApps Configuration:
* Endpoint URL
* HEC Token
* Default Index
* Source Type
* Source
* Host
* Push Frequency (5 min – 24 hrs)
Push Behavior:
* Scheduled push (default \~10 minutes)
* Not real-time
TLS Requirements:
* HTTPS required
* TLS 1.2+
* Valid SSL certificate required
***
#### Sample Event Payload
```
{
"time": 1711180800,
"host": "mangoapps",
"source": "splunk_logs",
"sourcetype": "mangoapps:audit",
"event": {
"timestamp": "2026-03-23T10:30:00Z",
"user": "user@company.com",
"ip": "192.168.1.10",
"source_code_reference": "AUTH_LOGIN",
"access_from_app": "Web",
"platform": "Chrome on Windows",
"unique_id": "evt_123456",
"event_type": "Login",
"description": "User login successful",
"outcome": "Success",
"http_code": 200
}
}
```
***
### Deleting the Integration
To delete the integration, navigate to Admin Portal → Integrations → Built-In Integrations → Splunk → Setup.
Click **Delete** at the bottom of the integration, then confirm the action in the pop-up. This action cannot be undone once confirmed.
***
### Events Sent to Splunk
The current integration focuses on **security, authentication, and user lifecycle events**.
**Authentication & Access:**
* Login
* Logoff
* Unauthorized Access
* Access from New Location
**Account Lifecycle:**
* Account Creation
* Account Deletion
* Account Suspended
* Account Locked Out
**Security & Permissions:**
* Password Reset
* Role Changes
{% hint style="warning" %}
Only these 10 events are forwarded to Splunk; this excludes all content and activity events. The retention period for this information is 90 days.
{% endhint %}
These events provide the necessary telemetry for organizations to monitor access and detect suspicious activity.
***
### Viewing Splunk Integration Logs in MangoApps
Administrators can review the events that MangoApps sends to Splunk.
To access the logs, navigate to **Admin Portal → Home → Logs → Splunk Logs**
The Splunk Logs page allows administrators to:
* Search logs by keyword
* Filter by event type
* Filter by date range
These logs show the events that were pushed to Splunk and confirm whether event delivery occurred successfully.
***
### Security and Data Protection
This integration is designed to prevent sensitive data exposure.
Key safeguards include:
* **No passwords, tokens, or secrets are included in event payloads**
* Only security-relevant event metadata is transmitted
* Event logs exclude sensitive authentication information
This ensures the integration remains compliant with enterprise security standards.
***
### Troubleshooting
#### Events Not Appearing in Splunk
Verify the following:
* HEC endpoint URL is correct
* HEC token is valid
* SSL settings match Splunk configuration
* Firewall rules allow outbound traffic to Splunk
* Push frequency interval has elapsed
***
#### Connection Issues
Check the **Splunk Logs** in MangoApps to identify:
* Authentication failures
* Endpoint connectivity errors
* Delivery failures
***
### Best Practices
* Use a **5–10 minute push interval** for security monitoring.
* Store MangoApps events in a **dedicated Splunk index**.
* Create Splunk dashboards for:
* Login activity
* Role changes
* User lifecycle events
* Set alerts for unusual login patterns or privilege changes.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://guides.mangoapps.com/integrations-guide/seim-integrations/integration-with-splunk.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.