PingOne

Monitoring activity with Splunk

Use Splunk to monitor PingOne activity data.

Installing the PingOne App for Splunk

The PingOne App for Splunk correlates your PingOne data into a meaningful dashboard. The app allows you to create custom dashboards and reporting, monitor activity data, and analyze event data over time.

Before you begin

You must:

  • Have a Splunk administrator account.

  • Create a webhook to send your PingOne data to your Splunk instance. We recommend collecting the data in index=pingone so that the data model attached to the PingOne App for Splunk will automatically pick up the data.

    • Create a data input in Splunk to receive the webhook data from PingOne. In Splunk, click Settings → Data inputs.

    • For HTTP Event Collector, click +Add new. Send the data to index=pingone. Make sure to copy the token provided by Splunk. For more information, refer to the Splunk HTTP Event Collector documentation.

      A screen capture of the Splunk Index page with

      To use a different index, refer to step 2 below to configure the PingOne App for Splunk to capture webhook data stored in other indexes.

    • Create the webhook in PingOne and add a custom header, where you can enter the token provided by Splunk when you created the HTTP Event Collector input.

  • Download the PingOne App for Splunk package in Splunkbase. Search for pingone in Splunkbase to find the file.

About this task

To install the PingOne App for Splunk:

Steps

  1. Sign on to Splunk and install the PingOne App for Splunk.

    1. Click Apps → Manage Apps.

    2. Click Install app from file.

      A screen capture of the Splunk Apps page with a red box around the Install app from file button.

    3. To upload the PingOne App for Splunk package file, click Browse, select the file, and then click Upload.

      A screen capture of the Install App From File page in Splunk.

  2. If your data is not in index=pingone, modify the macro to point to your data:

    1. Click Settings → All configurations.

      A screen capture of the Splunk Settings menu with a red box around All configurations.

    2. For the App field, filter on PingOne App for Splunk configurations and select the PingOne_data macro.

      A screen capture of the Splunk All configurations page filtered on PingOne App For Splunk with a red box around the PingOne_data macro.

    3. To point the macro to your data, enter your index in the Definition box.

      The default is index=pingone. Below is an example definition.

      A screen capture of an example index in the Definition box.

  3. Optional: Accelerate your data model to make a summary index of PingOne data.

    The summary index results in more efficient population of the dashboards and allows you to populate the tables over larger time ranges.

    1. Go to Settings → Data models.

      A screen capture of the Splunk Settings menu with a red box around Data mdoels.

    2. Click Edit → Edit Acceleration for the PingOne data model.

      A screen capture of the Splunk Data Models page for the PingOne data model with the Edit menu open and a red box around Edit Acceleration.

    3. In the Edit Acceleration window, select the Accelerate check box.

    4. Select a Summary Range. Click Save.

      The dashboards only display accelerated data through the summary range selected, so choose a time range accordingly.
      A screen capture of the Splunk Edit Acceleration window with the Accelerate check box selected and the Summary Range set to 3 Months.

    It will take time for the summary index to build.

Troubleshooting the PingOne App for Splunk

See the following information for help troubleshooting the dashboards in the PingOne App for Splunk.

Why do some of the graphs not populate?

If there are no results returned within the selected time range given, the dashboard widget shows as blank. If this activity is limited to one widget, such as a table or chart, on a dashboard, this likely means there were no relevant events to populate the chart.

Why do the Event Detail charts have a count listed?

The data model collects aggregate data, which is used to populate the dashboards. Because the data collected are not raw log events, it’s possible for multiple matching events to be aggregated. As an example, if a user account was unlocked 3 times in a second by the same administrator, the count value would be 3.

How do the dashboard table fields translate from PingOne webhook JSON data?

In the PingOne App for Splunk prebuilt dashboards, the PingOne webhook JSON data translates to the following table headings.

JSON Key Field Name

action.type

Action

result.description

Description

result.status

Status

actors.client.id

Client ID

actors.client.environment.id

Environment ID

actors.client.name

Client Application

actors.user.id

Actor ID

actors.user.name

Actor

resources.name

Target Resource

action.type

Action

What does “N/A” mean when populated into a field such as Actor (actors.user.name)?

In this case, "N/A" means that no value was included with the event. For instance, if the activity was performed by a worker app instead of a user account, the corresponding event data would have an N/A value in the dashboard results.

Certain dashboards allow you to filter N/A values in the results. For the User Activity dashboard:

  • If Filter No Actor is set to False, N/A values are displayed.

    A screen capture of Filter No Actor set to False and the N/A values displaying in the chart.

  • If Filter No Actor is set to True, N/A values will be removed from the results.

    A screen capture of Filter No Actor set to True and the N/A values not displaying in the chart.