Stream Logs to Splunk
You can create monitoring, alerting, and analysis dashboards in Splunk for Auth0 tenants.
Send events from Auth0 to Splunk
To send Auth0 events to Splunk, you will need to know:
Splunk instance domain name
Splunk event collector token
Retrieve Splunk domain, token, and port
Navigate to your Splunk instance. Copy the domain part of the URL, this is your Splunk Domain. (You may have received this information via email upon Splunk signup as well).
From the system menu select Settings > Data Inputs. Select the Add New link under Local Inputs > HTTP Event Collector.
Next you'll see a token configuration wizard. Name this new token, we recommend naming it
auth0, and click Next.
Select a Source type and an Index. Create a new Source type, named
auth0, and use main as our Index. Click Review.
Review the information displayed and click Submit.
Your new token should be created successfully. Copy the value, this is your Token.
The default Port is
Verify TLS Certificate
The default Splunk Cloud instance uses a self-signed certificate. Auth0 recommends using a certificate from a trusted authority. If you are using the default self-signed certificate, the Verify TLS toggle should be turned off.
Set up log event stream in Auth0
Log in to the Auth0 Dashboard and go to Monitoring > Streams
Click + Create Stream.
Select Splunk, and enter a unique name for your new Splunk Event Stream.
On the next screen, provide the following settings for your Splunk Event Stream:
Setting Description Domain This is the domain URL you copied from Splunk Token This is the token your created in the Splunk dashboard Port By default the port of set to 8088 but can be changed to match you Splunk configuration Verify TLS This toggle should be turned off when using self-signed certificates
Click Save. When Auth0 writes the next log event, you'll receive a copy of that log event in Splunk with the
View logs in Splunk
Log into your Splunk instance (in this case, Cloud).
In the menu bar, select App: Cloud Monitoring...
Click Search & Reporting in the sub-menu.
In the search bar, enter the wildcard
*and adjust the time drop-down to the desired window.
Delivery attempts and retries
Auth0 events are delivered to your server via a streaming mechanism that sends each event as it is triggered. If your server is unable to receive the event, Auth0 will try to redeliver it up to three times. If still unsuccessful, Auth0 will log the failure to deliver, and you will be able to see these failures in the Health tab for your log stream.