Join fellow LogicMonitor users at the Elevate Community Conference and get hands-on with our latest product innovations.

Register Now

Resources

Explore our blogs, guides, case studies, eBooks, and more actionable insights to enhance your IT monitoring and observability.

View Resources

About us

Get to know LogicMonitor and our team.

About us

Documentation

Read through our documentation, check out our latest release notes, or submit a ticket to our world-class customer service team.

View Resources

Edwin AI Splunk Cloud Integration

Last updated on 08 July, 2025

The LogicMonitor Edwin AI Splunk Integration enables Edwin AI to receive and normalize event data from your Splunk Cloud environment in real time. This integration transforms incoming Splunk events into the Edwin Common Event Format (CEF) using a configurable YAML-based mapping structure.

The integration supports field extraction, enrichment, normalization, and default fallback logic to ensure clean and consistent event ingestion into Edwin AI.

To set up the Edwin AI Splunk Integration, complete the following tasks:

  • Deploy the integration ZIP package into your Splunk Cloud environment
  • Provide your Edwin AI API credentials
  • Customize the splunk_mappings.yaml file to control how events are parsed and enriched
  • Validate field mappings and transformations

Requirements for Configuring Edwin AI Splunk Integration

To install and configure the Edwin AI Splunk Integration, you need:

  • Access to a Splunk Cloud instance
  • A valid Edwin AI API token
  • Organization name in Edwin AI
  • splunk_mappings.yaml configuration file

Installing and Configuring the Edwin AI Splunk Cloud Integration

  1. Download the Edwin AI integration zip package. 
  2. In your Splunk Cloud, navigate to Apps > Manage Apps
  3. Select Install app from file, then upload the Edwin AI zip package.

Note: After the zip package is uploaded, restart your Splunk instance if prompted.

  1. Open the installed Edwin AI integration app > Configuration page. 
  2. In the API Token field, enter your Edwin API token. 
  3. In the Organization Name field, enter your Edwin AI organization name. 
  4. Select Save
  5. Locate the splunk_mappings.yaml file that is bundled with the integration.
    Review the file to ensure the mappings, timestamps, transforms, and defaults sections align with your Splunk Cloud data structure.
    If needed, customize the mapping logic for your environment. 

Note: You must configure all required fields either through direct mappings or default values. Events missing these will be rejected by Edwin AI.

  1. Select Save, and reload the configuration.

Configuring Field Mappings and Transformations 

The splunk_mappings.yaml file is composed of the following four main configuration blocks:

  • Mappings
  • Timestamps
  • Transformations
  • Defaults

Mapping Splunk Event Fields to Edwin AI fields

Mappings define how Splunk event fields are translated into Edwin AI fields. You use the mappings section in splunk_mappings.yaml to define how Splunk fields are mapped.

The following table provides a description of what each Splunk Cloud event field maps to:

event_sourceOriginating system (for example, Splunk)
event_ciHost or resource (for example, IP address or hostname)
event_objectInstance or subcomponent of the host
event_nameShort name for the alert or metric
event_severityAlert severity level
event_descriptionOne-line summary of the alert
(Optional) event_detailsDetailed message or description
event_timeTimestamp of the alert
(Optional) event_domainCustomer or tenant identifier
event_idUnique identifier (UUID)
(Optional) *_link fieldsHyperlinks to relevant objects in Splunk

Important: Required fields must be either explicitly mapped or defaulted.

The following table provides an example of mapped Edwin AI fields and Splunk event fields:

event_ci$.configurationItem.name
event_object$.obj[1].name
event_source$.source
event_name$.alert_name
event_descriptionUses string_template with  variables
event_severity$.event_severity
event_time$.timestamp (can be inferred)
event_id$.event.identifier (UUID format)

The following displays an example of how Edwin AI fields can be used to construct dynamic strings:

event_description:
  string_template: "sample text {variable1} {v2}"
  variable1: ["$.alert_name"]
  v2: ["$.not_exist", "$.configurationItem.name", "$.source"]

Splunk Cloud Timestamps

Timestamps control how event_time values are parsed. 

The following table includes examples of each timestamp option:

typedatetime or unix
datetime day_first, year_first, offset
offset support{BST: 3600, PST: -28800}

Splunk Cloud Transformations

Transformations normalize incoming values from Splunk before they are mapped. 

The following code sample displays how transformations normalize incoming values:

transforms:
  event_severity:
    critical: ["crt", "code red"]
    major: ["maj"]
    minor: ["min"]
    warning: ["wrn"]
    indeterminate: ["sdt"]
    clear: [0, 255]

Splunk Cloud Defaults

Defaults define fallback values for required fields when mappings are missing or null. Defining defaults helps prevent event rejections between Edwin AI and Splunk Cloud. 

The following code sample displays how defaults define fallback values:

defaults:
  event_ci: "defaultEventCI"
  event_object: "defaultEventObject"
  event_source: "Splunk"
  event_name: "defaultEventName"
  event_description: "Default event description"
  event_severity: 1
  event_ci_link: "https://example.com/ci/test-host"
  event_name_link: "https://example.com/event/test-event"

Using Enrichments in Event Payloads

Enrichments can be used to add custom static or dynamic fields to each event. These enrichments appear as additional columns or metadata within Edwin AI and can be used to aid routing, assignment, or incident correlation.

Enrichments can include static string values (for example, source_tool: Splunk), dynamic string templates with variable substitution, and prioritized lists of JSON paths for fallback logic. These features enable you to enhance each event with meaningful context, even when fields may vary across different data sources.

The following code sample displays how enrichments can be used in a JSON path:

enrichments:
  source_tool: "Splunk"
  environment: "prod"
  team:
    string_template: "{owner}"
    owner: ["$.configurationItem.team", "$.fallbackTeam"]

Recommendation: Use enrichments to improve event clarity, automate workflows, and support advanced filtering in Edwin AI.

In This Article

Start Your Trial

Full access to the LogicMonitor platform.
Comprehensive monitoring and alerting for unlimited devices.