Sending Events from Auth0 to Splunk

Splunk provides a platform to easily get insights into all the information generated by your IT infrastructure.

This example shows how you can very easily connect Auth0 to Splunk and stream signup and login events with user contextual information.

Record a SignUp or Login Event in Splunk

This Auth0 rule uses the Splunk REST API to record signup and login events from users to your apps. This is tracked with the signedUp property. If the property is present, then we assume this is a login event. Otherwise we assume that this event is a new signup.

You can send any number of properties. This sample sends contextual information like the user IP address (can be used for location), the application, the username, and so on.

Splunk's API supports basic & token based auth. For simplicity, we use basic auth, with credentials in the rule. You can store these credentials securely in Auth0 using standard settings on the dashboard.

When enabled, this rule will start sending events that will show up on Splunk's dashboard:

Securely Storing Credentials

This example has your Splunk credentials hard-coded into the rule, but if you prefer, you can store them instead in the configuration object (see the Settings under the list of your rules). This allows you to use those credentials in multiple rules if you require, and also prevents you from having to store them directly in the code.

function (user, context, callback) {
  const request = require('request');

  user.app_metadata = user.app_metadata || {};
  const endpoint = ''; // replace with your Splunk HEC endpoint;

  //Add any interesting info to the event
  const hec_event = {
    event: {
      message: user.app_metadata.signedUp ? 'Login' : 'SignUp',
      application: context.clientName,
      clientIP: context.request.ip,
      protocol: context.protocol,
      userId: user.user_id
    source: 'auth0',
    sourcetype: 'auth0_activity'
    url: endpoint,
    headers: {
      'Authorization': 'Splunk ' + configuration.SPLUNK_HEC_TOKEN
    strictSSL: true, // set to false if using a self-signed cert
    json: hec_event
  }, function(error, response, body) {
    if (error) return callback(error);
    if (response.statusCode !== 200) return callback(new Error('Invalid operation'));
    user.app_metadata.signedUp = true;
    auth0.users.updateAppMetadata(user.user_id, user.app_metadata)
      .then(function () {
        callback(null, user, context);
      .catch(function (err) {


Notice that if all calls are successful, we signal the user as signed up. So next time we record login.

Check out our repository of Auth0 Rules for more great examples: