Skip to main content

How do I correlate from my WebApp DocuSign REST calls to the Splunk docusign index?  Docusign Event ID looks like the best correlation but I can not figure out how to get it from the response on my WebApp activity.

 

--Steve

 

Sample search

index=docusign sourcetype="docusign:monitor"
| eval json_payload=_raw
| spath output=userId input=json_payload path=userId
| spath output=user_action input=json_payload path=action
| spath output=user_device input=json_payload path=userAgentClientInfo{}.device{}.family
| spath output=user_device_model input=json_payload path=userAgentClientInfo{}.device{}.brand
| spath output=user_agent input=json_payload path=userAgent
| spath output=user_agent_family input=json_payload path=userAgentClientInfo{}.browser{}.family
| spath output=signers_recipient_guid input=json_payload path=data{}.RecipientInfo{}.RecipientId
| spath output=signers_recipient_id input=json_payload path=data{}.RecipientInfo{}.UserId
| spath output=documentIdGuid input=json_payload path=data{}.envelopeSummary{}.envelopeDocuments{}.documentIdGuid
| spath output=documentName input=json_payload path=data{}.envelopeSummary{}.envelopeDocuments{}.name
| spath output=EnvelopeId input=json_payload path=data{}.EnvelopeId
| join type=left userId
     | search index=docusign sourcetype=docusign:users
    | stats count by email,userName,title,permissionProfileName,userStatus,userId
    | eval user_name=userName
    | eval user_title=title
    | fields userId,email,user_name,title,permissionProfileName,userStatus ]
| join type=left eventId
    t search `docusign_monitor_data` object=alert
    | eval sender_userID = userId
    | eval alert_description=description
    | eval alert_severity=severity
    | spath output=eventId input=_raw path=data{}.EventIds{}
    | mvexpand eventId
    | fields alert,alert_description,alert_severity,eventId ]
| table _time,eventId, alert,alert_description,alert_severity,EnvelopeId,email,user_name,user_title,permissionProfileName,userStatus,user_action,userId,user_device,user_device_model,user_agent_family,ipAddress,eventId,signers_recipient_guid,signers_recipient_id,signers_email,signers_mobile_number

Hello Steve,

The article below lists the best practices to integrate Splunk with DocuSign Monitor, and it lists a topic that seems related to your request:

  • Use the Add-on lookup tables in automatic lookups and macros to enrich Docusign Monitor data by adding user account information and alert and event details.

https://support.docusign.com/s/document-item?language=en_US&rsc_301&bundleId=gso1581445176035&topicId=sfj1611351664499.html&_LANG=enus

 

Reply


Code of Conduct