--- title: Monitoring activity with Splunk description: Use Splunk to monitor PingOne activity data. component: pingone page_id: pingone:developer_tools:p1_monitor_activity_splunk canonical_url: https://docs.pingidentity.com/pingone/developer_tools/p1_monitor_activity_splunk.html revdate: April 23, 2025 page_aliases: ["p1_app_splunk_troubleshooting.adoc", "p1_splunk_app.adoc"] section_ids: p1-add-splunk-app: Installing the PingOne App for Splunk before-you-begin: Before you begin about-this-task: About this task steps: Steps p1-splunk-troubleshoot: Troubleshooting the PingOne App for Splunk why-do-some-of-the-graphs-not-populate: Why do some of the graphs not populate? why-do-the-event-detail-charts-have-a-count-listed: Why do the Event Detail charts have a count listed? how-do-the-dashboard-table-fields-translate-from-pingone-webhook-json-data: How do the dashboard table fields translate from PingOne webhook JSON data? what-does-na-mean-when-populated-into-a-field-such-as-actor-actors-user-name: "What does \"N/A\" mean when populated into a field such as Actor (actors.user.name)?" --- # Monitoring activity with Splunk Use Splunk to monitor PingOne activity data. ## Installing the PingOne App for Splunk The PingOne App for Splunk correlates your PingOne data into a meaningful dashboard. The app allows you to create custom dashboards and reporting, monitor activity data, and analyze event data over time. ### Before you begin You must: * Have a Splunk administrator account. * [Create a webhook](../integrations/p1_create_webhook.html) to send your PingOne data to your Splunk instance. We recommend collecting the data in `index=pingone` so that the data model attached to the PingOne App for Splunk will automatically pick up the data. * Create a data input in Splunk to receive the webhook data from PingOne. In Splunk, click **Settings > Data inputs**. * For **HTTP Event Collector**, click **+Add new**. Send the data to `index=PingOne`. Make sure to copy the token provided by Splunk. Learn more in the [Splunk HTTP Event Collector](https://docs.splunk.com/Documentation/Splunk/latest/Data/UsetheHTTPEventCollector) documentation. ![A screen capture of the Splunk Index page with 'PingOne' as the selected index.](_images/uqb1675363189824.png) | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------- | | | To use a different index, refer to step 2 below to configure the PingOne App for Splunk to capture webhook data stored in other indexes. | * Create the webhook in PingOne and add a custom header, where you can enter the token provided by Splunk when you created the **HTTP Event Collector** input. * Download the PingOne App for Splunk package in Splunkbase. Search for `PingOne` in Splunkbase to find the file. ### About this task To install the [PingOne App for Splunk](https://splunkbase.splunk.com/app/6750): ### Steps 1. Sign on to Splunk and install the PingOne App for Splunk. 1. Click **Apps > Manage Apps**. 2. Click **Install app from file**. ![A screen capture of the Splunk Apps page with a red box around the Install app from file button.](_images/mwp1673286615442.png) 3. To upload the PingOne App for Splunk package file, click **Browse**, select the file, and then click **Upload**. ![A screen capture of the Install App From File page in Splunk.](_images/smm1673287492338.png) 2. If your data is not in `index=pingone`, modify the macro to point to your data: 1. Click **Settings > All configurations**. ![A screen capture of the Splunk Settings menu with a red box around All configurations.](_images/loq1673287883877.png) 2. For the **App** field, filter on **PingOne App for Splunk** configurations and select the **PingOne\_data** macro. ![A screen capture of the Splunk All configurations page filtered on PingOne App For Splunk with a red box around the PingOne\_data macro.](_images/ssd1673288502247.png) 3. To point the macro to your data, enter your index in the **Definition** box. The default is `index=PingOne`. Below is an example definition. ![A screen capture of an example index in the Definition box.](_images/stu1673289377506.png) 3. (Optional) Accelerate your data model to make a summary index of PingOne data. The summary index results in more efficient population of the dashboards and allows you to populate the tables over larger time ranges. 1. Go to **Settings > Data models**. ![A screen capture of the Splunk Settings menu with a red box around Data mdoels.](_images/lrn1673290000178.png) 2. Click **Edit > Edit Acceleration** for the PingOne data model. ![A screen capture of the Splunk Data Models page for the PingOne data model with the Edit menu open and a red box around Edit Acceleration.](_images/umg1673290334166.png) 3. In the **Edit Acceleration** window, select the **Accelerate** checkbox. 4. Select a **Summary Range**. Click **Save**. | | | | - | -------------------------------------------------------------------------------------------------------------------- | | | The dashboards only display accelerated data through the summary range selected, so choose a time range accordingly. | ![A screen capture of the Splunk Edit Acceleration window with the Accelerate check box selected and the Summary Range set to 3 Months.](_images/gak1673291190958.png) | | | | - | ------------------------------------------------- | | | It will take time for the summary index to build. | ## Troubleshooting the PingOne App for Splunk See the following information for help troubleshooting the dashboards in the PingOne App for Splunk. ### Why do some of the graphs not populate? If there are no results returned within the selected time range given, the dashboard widget shows as blank. If this activity is limited to one widget, such as a table or chart, on a dashboard, this likely means there were no relevant events to populate the chart. ### Why do the **Event Detail** charts have a count listed? The data model collects aggregate data, which is used to populate the dashboards. Because the data collected are not raw log events, it's possible for multiple matching events to be aggregated. As an example, if a user account was unlocked 3 times in a second by the same administrator, the count value would be 3. ### How do the dashboard table fields translate from PingOne webhook JSON data? In the PingOne App for Splunk prebuilt dashboards, the PingOne webhook JSON data translates to the following table headings. | JSON Key | Field Name | | ------------------------------ | ------------------ | | `action.type` | Action | | `result.description` | Description | | `result.status` | Status | | `actors.client.id` | Client ID | | `actors.client.environment.id` | Environment ID | | `actors.client.name` | Client Application | | `actors.user.id` | Actor ID | | `actors.user.name` | Actor | | `resources.name` | Target Resource | | `action.type` | Action | ### What does "N/A" mean when populated into a field such as Actor (actors.user.name)? In this case, "N/A" means that no value was included with the event. For instance, if the activity was performed by a worker app instead of a user account, the corresponding event data would have an N/A value in the dashboard results. Certain dashboards allow you to filter N/A values in the results. For the **User Activity** dashboard: * If **Filter No Actor** is set to `False`, N/A values are displayed. ![A screen capture of Filter No Actor set to False and the N/A values displaying in the chart.](_images/rur1673301795705.png) * If **Filter No Actor** is set to `True`, N/A values will be removed from the results. ![A screen capture of Filter No Actor set to True and the N/A values not displaying in the chart.](_images/xps1673303026344.png)