--- title: "Polarity Source Analytics with Splunk — Integration Guide" slug: "polarity-source-analytics-with-splunk" description: "Send Polarity usage metrics and source telemetry to Splunk via PSA. Monitor query volume, source utilization, and performance from a Splunk dashboard." updated: 2024-12-24T17:27:09Z published: 2024-12-24T17:27:09Z --- > ## Documentation Index > Fetch the complete documentation index at: https://knowledge.threatconnect.com/llms.txt > Use this file to discover all available pages before exploring further. # Polarity Source Analytics with Splunk *The following guide walks through how to collect source analytic logs from your server using Splunk.* ## Enable Source Analytics Prior to setting up collection of your source analytic (PSA) logs, please ensure that Polarity Source Analytics logging is enabled: - [Enabling Polarity Source Analytics](/v1/docs/enabling-polarity-source-analytics) ## Configure Docker Logging for Splunk Docker supports sending logs to Splunk via the Docker Splunk Logging driver. To configure the driver, you will need to make modifications to the /app/docker-compose.yml file. The following logger options should be provided under services -> app: ```yaml logging: driver: "splunk" options: splunk-url: "https://:8088" splunk-insecureskipverify: "false" splunk-token: "" splunk-source: "polarity" splunk-index: "polarity" splunk-format: "raw" tag: "" ``` ### Logging Driver Options - **splunk-url** - Path to your Splunk Enterprise, self-service Splunk Cloud instance, or Splunk Cloud managed cluster (including port and scheme used by HTTP Event Collector) in one of the following formats: https://your_splunk_instance:8088, https://input-prd-p-XXXXXXX.cloud.splunk.com:8088, or https://http-inputs-XXXXXXXX.splunkcloud.com. - **splunk-insecureskipverify** - If you are running a self hosted Splunk instance with a self-signed certificate you may need to tell Docker to ignore self-signed certificate errors.   This option should default to "false". - **splunk-token** - Splunk HTTP Event Collector token used to authenticate to your Splunk instance. - **splunk-source** - Optional Event Source.  This can be set to polarity but other values can be used for your organization. - **splunk-index** - The event index to send telemetry data to.  This should be set to polarity or another index value specific to Polarity telemetry and logging data. - **splunk-format** - The message format for logs sent to Splunk.  **This option must be set to raw.**  The raw splunk-format ensures that Docker writes the logs exactly as they are produced by the server. Note If you use the json format, the logs will be wrapped in JSON a second time and the actual telemetry data will become escaped JSON. - **tag** - Set the tag to an empty string ("").  Without this setting, Docker will prepend the default tag which is the container id. The prepended container id results in a log that is no longer valid JSON. ### Restart Server After making changes to the .env and docker-compose.yml you will need to restart the docker containers that run the server using the following command: ```shell cd /app && ./down.sh && ./up.sh ``` Note on the Source Analytics Log Format The Polarity Server v5 telemetry logs no longer include the property message="Integration Lookup" on telemetry logs. If you were using this to filter out telemetry logs from other logs we recommend switching to msgType="integration-lookup". The msgType field is also set on v4 telemetry logs so using this property as a filter will identify all telemetry logs from both v4 and v5 servers.