Edwin AI Splunk Cloud Integration
Last updated on 08 July, 2025The LogicMonitor Edwin AI Splunk Integration enables Edwin AI to receive and normalize event data from your Splunk Cloud environment in real time. This integration transforms incoming Splunk events into the Edwin Common Event Format (CEF) using a configurable YAML-based mapping structure.
The integration supports field extraction, enrichment, normalization, and default fallback logic to ensure clean and consistent event ingestion into Edwin AI.
To set up the Edwin AI Splunk Integration, complete the following tasks:
- Deploy the integration ZIP package into your Splunk Cloud environment
- Provide your Edwin AI API credentials
- Customize the
splunk_mappings.yamlfile to control how events are parsed and enriched - Validate field mappings and transformations
Requirements for Configuring Edwin AI Splunk Integration
To install and configure the Edwin AI Splunk Integration, you need:
- Access to a Splunk Cloud instance
- A valid Edwin AI API token
- Organization name in Edwin AI
splunk_mappings.yamlconfiguration file
Installing and Configuring the Edwin AI Splunk Cloud Integration
- Download the Edwin AI integration zip package.
- In your Splunk Cloud, navigate to Apps > Manage Apps.
- Select Install app from file, then upload the Edwin AI zip package.
Note: After the zip package is uploaded, restart your Splunk instance if prompted.
- Open the installed Edwin AI integration app > Configuration page.
- In the API Token field, enter your Edwin API token.
- In the Organization Name field, enter your Edwin AI organization name.
- Select Save.
- Locate the
splunk_mappings.yamlfile that is bundled with the integration.
Review the file to ensure the mappings, timestamps, transforms, and defaults sections align with your Splunk Cloud data structure.
If needed, customize the mapping logic for your environment.
Note: You must configure all required fields either through direct mappings or default values. Events missing these will be rejected by Edwin AI.
- Select Save, and reload the configuration.
Configuring Field Mappings and Transformations
The splunk_mappings.yaml file is composed of the following four main configuration blocks:
- Mappings
- Timestamps
- Transformations
- Defaults
Mapping Splunk Event Fields to Edwin AI fields
Mappings define how Splunk event fields are translated into Edwin AI fields. You use the mappings section in splunk_mappings.yaml to define how Splunk fields are mapped.
The following table provides a description of what each Splunk Cloud event field maps to:
| event_source | Originating system (for example, Splunk) |
| event_ci | Host or resource (for example, IP address or hostname) |
| event_object | Instance or subcomponent of the host |
| event_name | Short name for the alert or metric |
| event_severity | Alert severity level |
| event_description | One-line summary of the alert |
(Optional) event_details | Detailed message or description |
| event_time | Timestamp of the alert |
| (Optional) event_domain | Customer or tenant identifier |
| event_id | Unique identifier (UUID) |
(Optional) *_link fields | Hyperlinks to relevant objects in Splunk |
Important: Required fields must be either explicitly mapped or defaulted.
The following table provides an example of mapped Edwin AI fields and Splunk event fields:
| event_ci | $.configurationItem.name |
| event_object | $.obj[1].name |
| event_source | $.source |
| event_name | $.alert_name |
| event_description | Uses string_template with variables |
| event_severity | $.event_severity |
| event_time | $.timestamp (can be inferred) |
| event_id | $.event.identifier (UUID format) |
The following displays an example of how Edwin AI fields can be used to construct dynamic strings:
event_description:
string_template: "sample text {variable1} {v2}"
variable1: ["$.alert_name"]
v2: ["$.not_exist", "$.configurationItem.name", "$.source"]Splunk Cloud Timestamps
Timestamps control how event_time values are parsed.
The following table includes examples of each timestamp option:
| type | datetime or unix |
datetime | day_first, year_first, offset |
| offset support | {BST: 3600, PST: -28800} |
Splunk Cloud Transformations
Transformations normalize incoming values from Splunk before they are mapped.
The following code sample displays how transformations normalize incoming values:
transforms:
event_severity:
critical: ["crt", "code red"]
major: ["maj"]
minor: ["min"]
warning: ["wrn"]
indeterminate: ["sdt"]
clear: [0, 255]Splunk Cloud Defaults
Defaults define fallback values for required fields when mappings are missing or null. Defining defaults helps prevent event rejections between Edwin AI and Splunk Cloud.
The following code sample displays how defaults define fallback values:
defaults:
event_ci: "defaultEventCI"
event_object: "defaultEventObject"
event_source: "Splunk"
event_name: "defaultEventName"
event_description: "Default event description"
event_severity: 1
event_ci_link: "https://example.com/ci/test-host"
event_name_link: "https://example.com/event/test-event"Using Enrichments in Event Payloads
Enrichments can be used to add custom static or dynamic fields to each event. These enrichments appear as additional columns or metadata within Edwin AI and can be used to aid routing, assignment, or incident correlation.
Enrichments can include static string values (for example, source_tool: Splunk), dynamic string templates with variable substitution, and prioritized lists of JSON paths for fallback logic. These features enable you to enhance each event with meaningful context, even when fields may vary across different data sources.
The following code sample displays how enrichments can be used in a JSON path:
enrichments:
source_tool: "Splunk"
environment: "prod"
team:
string_template: "{owner}"
owner: ["$.configurationItem.team", "$.fallbackTeam"]Recommendation: Use enrichments to improve event clarity, automate workflows, and support advanced filtering in Edwin AI.