Use the Splunk App for Privilege Management Cloud

This document describes the installation and configuration of the Splunk app and BeyondTrust Privilege Management Cloud. The integration consists of an application that can be installed in a Splunk instance directly from Splunkbase.

Using the Splunk app, you can:

  • Pull client events and activity audit events generated by Privilege Management endpoints and PM Cloud into Splunk.
  • On the dashboard, visualize and interpret the large number of events forwarded to Splunk by Privilege Management Cloud. You can more rapidly benefit from the integration between PM Cloud and Splunk by leveraging these working reports that can be used as is or as templates for custom reports.

Privilege Management Cloud reports in Splunk Apps


Before proceeding with the integration, it's important to ensure a few things are in place.

PM Cloud 23.1 or later is required.

Network Considerations

Your Splunk instance needs to connect to various REST API endpoints provided by your PM Cloud site. Communication is in the form of secure HTTP traffic on TCP port 443. The purpose of this connectivity is to query the PM Cloud site for event information, which can be ingested by Splunk.

Create a PM Cloud API Account

The API account is used in Splunk to make API calls to PM Cloud.

For more information, please see Configure Access to the Management API.

Install and Configure the App

Once the prerequisites are satisfied, you can move on to the installation and configuration of the integration.

Install the Application

The app is currently available for installation via Splunkbase.

To install the application:

  1. Authenticate to your Splunk instance as an administrator.
  2. Click Apps > Manage Apps.
  3. At the top, click Browse more apps.
  4. Search for BeyondTrust Privilege Management Cloud.
  5. Click Install on the app listing.

Configure Application

Once the application is installed in your Splunk instance, you can add configuration for one or both data feeds that it is able to consume.

The two categories of events that can be consumed by the application are:

  • Client Events: These events originate from the individual systems being managed by BeyondTrust Endpoint Privilege Management. They flow back to the PM Cloud site, and are retrievable via the API. Examples include: user logon, a process started, a process blocked, etc.
  • Activity Audits: These events represent activities that occur in the PM Cloud web interface. Examples include: user role changes, editing or committing a policy draft, assigning a computer to a group, etc.

To add an input for either of the data feeds:

  1. Authenticate to your Splunk instance as an administrator.

PM Cloud reporting app in Splunk.

  1. Click Apps > BeyondTrust Privilege Management Cloud.


  1. On the Inputs tab, click Create New Input.
  2. Two options are presented for the type of input to create. Select an input type: Client Events or Audit Activity.

Client events in the Splunk app for Privilege Management Cloud reporting.

  1. Enter the appropriate values in each of the configuration fields. The screen capture shows the Client Events fields.
    • Name: Give the input configuration a unique name.
    • Interval: The number of seconds between each attempt to retrieve new data.
    • Index: The name of the index into which all events from this input are placed. By default, use the index created by the app installation: idx_beyondtrust_pmc.
    • PM Cloud Services Hostname: The services hostname of your PM Cloud site. For example, if you access your PM Cloud web interface at, then the appropriate value here is
    • Client ID: The ID value of the API account created in Prerequisites.
    • Client Secret: The secret value of the API account created in Prerequisites.
    • Events Batch Size (Client Events only): If the integration needs to make multiple calls to retrieve available events, this is the number that is returned in one batch or response. 1000 is both the default and the max value.
    • Audit Activity Page Size (Activity Audits only): If the integration needs to make multiple calls to retrieve available events, this is the number that is returned in one page or response. 200 is both the default and the max value.
  2. Click Add to save the configuration. The input runs immediately.
  3. (Optional) If you want the app to ingest event data from both data feeds, repeat steps 4 and 5 for the other input type.

Troubleshoot and Support

Log Files

Should you encounter issues with event ingestion, the application writes separate log files for each input type. In an on-premises Splunk Enterprise deployment, the files are located in a location similar to C:\Program Files\Splunk\var\log\splunk, using files with the following names:

  • Client Events:


  • Activity Audits:


Data Mismatch

If the dashboard doesn't show data but manual search queries confirm that data is successfully being ingested, this may indicate a mismatch between the dashboard queries and how the event data is being stored - most likely under a different index than expected.

To correct this, change the filters used by the dashboard to specify an index, source type, and time frame that should match the ingested events. If the filters are not already displayed, click the Show Filters link next to the report title to view and edit the filter values.

Show Filters link in Splunk.