--- title: Adding a Push subscription description: Push subscriptions stream audit events of the selected type to the HTTPS URL you specify. component: pingoneforenterprise page_id: pingoneforenterprise:pingone_for_enterprise:p14e_add_push_subscription canonical_url: https://docs.pingidentity.com/pingoneforenterprise/pingone_for_enterprise/p14e_add_push_subscription.html revdate: September 8, 2023 section_ids: steps: Steps result: Result: result-2: Result --- # Adding a Push subscription Push subscriptions stream audit events of the selected type to the HTTPS URL you specify. ## Steps 1. Go to **Dashboard > Reporting > Subscriptions > Add Subscription**. 2. In the **Name** field, enter a name for this subscription. 3. In the **Type** list, select the type of audit event that will be pushed for this subscription. For more information, see [PingOne for Enterprise report types](p14e_report_types.html). 4. Select **Push** to create a Push subscription. 5. In the **Format** list, select the format for the audit events. For Push subscriptions, this can be either: * `Audit` (the PingOne for Enterprise default format). * `Splunk` (a format compatible with Splunk processing). Both formats are JSON. 6. In the **URL** field, enter the URL to stream audit events to. | | | | - | ---------------------- | | | The URL must be HTTPS. | 7. In the **Authorization Header** field, enter a request header that will be posted to the **URL** you specified. For example, `"Authorization: Basic 80F4FC1D78C0F15627C9B95C"`. 8. Click **Upload** to upload the public certificate registered to the **URL** you specified. | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | For Splunk subscriptions, you need to upload the endpoint certificate, not the entire certificate chain. You can get your endpoint certificate by going to your Splunk endpoint in a browser and downloading it. | 9. Click **Done**. ### Result: You will find the new subscription listed on the **Subscriptions** page. ## Result The audit events pushed to the URL you specified will look similar to these samples: `Audit` format ```json { "source": "ADMINISTRATOR_LOGIN", "id": "8fd3d92f-7af2-11e8-b80d-0ec0fbebxxxx", "recorded": "2018-28-06T16:44:44.849Z", "action": { "type": "Password" }, "actors": [ { "type": "user", "name": "pcasso@pingidentity.com" } ], "resources": [], "client": { "id": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36", "ipAddress": "192.168.10.1, 172.138.206.50" }, "result": { "status": "SUCCESS", "message": "Password" } } ``` `Splunk` format ```json { "event": { "source": "ADMINISTRATOR_LOGIN", "id": "44990ce5-7af4-11e8-b80d-0ec0fbebxxxx", "recorded": "2018-28-06T16:56:57.627Z", "action": { "type": "Password" }, "actors": [ { "type": "user", "name": "pcasso@pingidentity.com" } ], "resources": [], "client": { "id": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36", "ipAddress": "24.222.35.218, 172.18.26.54" }, "result": { "status": "SUCCESS", "message": "Password" } }, "host": "pingidentity.com", "time": 1530205017627, "source": "ADMINISTRATOR_LOGIN" } ```