# Feed events to Splunk

You can feed data to Splunk via [Mosaic Events Add-on](https://splunkbase.splunk.com/app/6965) . This plugin will help you keep track of activity by polling [Event streaming API](/openapi/risk/activities.openapi).

## Step 1: Configure a management app

In your Mosaic tenant, [configure a management app](/guides/user/management_apps). Give the app a suitable name, for example, `MySplunkLogStream`.

![](/assets/siem_splunk_01.1975f53e55e37b6235fd9921d9acaef3b47459204db55b072b2610a98e303d0d.de26799e.png)

Note
After saving the management app, open it again and note the **Client ID** and **Client Secret** values. You’ll need these parameters to install the Splunk App.

## Step 2: Create event streams

Before you can start feeding events to Splunk, you have to create event streams in Mosaic. You can create as many event streams as needed.

1. In the Admin Portal, navigate to **Events streaming** and select **Create stream**.
2. Complete the stream configuration by providing the stream identifier, event type to collect, and batch size. Set the stream destination to **Splunk**. For more details, see [About events streaming](/guides/user/platform/activities_streaming#stream-settings).
3. Obtain the request URL by clicking ![](/assets/action_icon.1ecac3af0cbb5a99cfdd0e9a3a7067f9df88a26acab052d3eced16c35ad4626a.9c1bb791.svg) next to the stream name and then **Copy URL**.


## Step 3: Install the plugin

You have the following options:

- Install the plugin directly from [Splunk portal](https://splunkbase.splunk.com). This option supports **both Splunk Enterprise and Splunk Cloud** environments.
- Download the plugin and install it manually. This option only supports Splunk Enterprise environments and **doesn't work for Splunk Cloud** users.


To install the plugin from Splunk portal:

1. While logged in, go to **Apps** > **Manage Apps**, then click **Browse more apps**:
![](/assets/siem_splunk_11.b977cacaf6e63c6e0136a34585863ed5de20a53d16c13550f836cb18599d5b58.de26799e.png)
2. Search for Mosaic Events Add-on:
![](/assets/siem_splunk_12.98b678d782fa02d4ad3956603bfcafd1571e8ff5a8af8f91b4086395c5a91780.de26799e.png)
3. Click **Install** on the **Mosaic Events Add-on** tile.
4. Log in with your Splunk username and password:
![](/assets/siem_splunk_13.0ddcb3306686b7143420bf2463bb3cc88ac3e820c033b5aff47b1e99e77a9fd1.de26799e.png)
5. Restart Splunk.


To install the plugin manually (only in Splunk Enterprise environments):

1. Download [Mosaic Audit Log Connector for Splunk](https://splunkbase.splunk.com/app/6965).
2. On Splunk portal, go to **Apps** > **Manage Apps**:
![](/assets/siem_splunk_02.dc0aeb2f52eae72b009c9af680c4a5a660a1a3d13f1d5d2469f9edcb7b3ceb38.de26799e.png)
3. Click **Install App from File**:
![](/assets/siem_splunk_03.3a1e03f17d9186f21041a1ba4e6a526a3e925bb55ec09c9df1a2b75011a6a5db.de26799e.png)
4. Upload the file you've downloaded from Splunkbase:
![](/assets/siem_splunk_04.4b3793d9ddfef568528b3b754fe6769df5ae59240cb6f323a43cd90d6b55d1cf.de26799e.png)


After installation, the browser redirects you to the **Apps** page. This page now shows **Mosaic** on the app list.
![](/assets/siem_splunk_05.496d2902331748197b35b812a0c4058fb22f67480418b9304e2bc1867e8fb018.de26799e.png)

## Step 4: Configure the inputs

Now you need to launch the app and configure inputs for each stream you've created individually:

1. Launch the app from the **Apps** page.
2. Click **Create New Input**:
![](/assets/siem_splunk_06.da406ce1fb52cdf57bc991f30fbd45089c23755cfff7f4dd332639d07b444601.de26799e.png)
3. Configure inputs:
  - **Name**: Give the input a meaningful name, for example, `Transmit_User_Events`.
  - **Interval**: Enter polling interval in seconds.
  - **Index**: Use your preferred index; for example, you can choose `default` or `main`.
  - **OAuth Endpoint**: Token exchange endpoint: `https://api.transmitsecurity.io/oidc/token` (use `api.eu.transmitsecurity.io` for the EU and `api.ca.transmitsecurity.io` for Canada).
  - **Endpoint**:  Provide the URL you obtained upon creating a stream in Mosaic. For example, `https://api.transmitsecurity.io/activities/v1/activities/collect?type=cis&stream_id=12345&batch_size=50`.
  - **Client ID** and **Client Secret**: Use the values from the Management App you've created in the Mosaic portal earlier.


Note
When defining the polling interval, consider the level of activity on the platform. For instance, you may want to use a longer polling interval, like `3600` (1 hour), for low traffic or a shorter interval, like `300` (5 minutes), for high-traffic situations.

## Step 5. Check the operation

Check how the connector works using the **Search** app. Include `sourcetype=transmit` in the search bar. If the search isn't working, restart Splunk.

![](/assets/siem_splunk_08.fc2c5e9c5744adcc1d280a3049dfdd8664054cad977d7e00b36939677f47ab05.de26799e.png)