> For the complete documentation index, see [llms.txt](https://doc.keepnetlabs.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://doc.keepnetlabs.com/next-generation-product/platform/company/company-settings/siem-integrations/splunk-integration.md).

# Splunk Integration

The Splunk HTTP Event Collector (HEC) allows you to send data and application events to a Splunk distribution over HTTP and HTTPS protocols. The HEC uses a token-based authentication model.

The steps and guidance provided below will ensure a successful integration.

## Integration Steps

From the left menu go to **Company Settings > SIEM Integrations** and click the **+ NEW** button and provide the information requested.

<table data-header-hidden><thead><tr><th width="150"></th><th width="582.1428571428571"></th></tr></thead><tbody><tr><td>Integration Name</td><td>SIEM configuration name.</td></tr><tr><td>History Logs</td><td><p>Select this option to ensure that all data in the audit log will be transferred to your SIEM solution.<br></p><p>If this feature is inactive, only the audit log data recorded after defining the SIEM integration will be transferred to your SIEM solution.</p></td></tr><tr><td>Integration Type</td><td>Select Splunk integration type.</td></tr><tr><td>URL</td><td>The URL address of your Splunk solution.</td></tr><tr><td>Secret Token</td><td>Define Secret Token.</td></tr><tr><td>Test Connection</td><td>Test the connection to be sure it works correctly.</td></tr></tbody></table>

### **How to Get the Splunk URL Address**

To learn the URL address of the Splunk product, log in to the Splunk management console, then click **Data Inputs** in the **Data** field from the **Settings** section at the top. In the **Data Inputs** window that opens, click on **HTTP Event Collector (HEC).**

* Click the **Global Settings** button in the upper right of the HTTP Event Collector page.
* Retrieve the Splunk URL and the HTTP port number to be entered in the URL field of the platform.

### **How to Get Secret Token**

Log in to the Splunk management console, then click **Data Inputs** in the **Data** field from the **Settings** section at the top. Next, click on **HTTP Event Collector (HEC)** in the **Data Inputs** window.

* Click the **New Token** button on the upper right of the HTTP Event Collector (HEC) page.
* Complete the **Name** field and click the **Next** button.
* Click the **Select** button to apply the resource type specified in the **Input Settings** page to the data.
* Choose **select\_json (JavaScript Object Notation format)** from the **Structured** field of the window that opens.
* Click the **Review** button. After verifying the selections in the **Review** field, click the **Submit** button.
* After receiving a message indicating that the token has been created successfully, you can copy the **Token Value** created here and use it in the relevant field of the platform.

## **Control Phase**

In order to make sure that the integration works and logs are being transferred from the platform to the Splunk product properly, a test is advise&#x64;**.**

* After performing the integration, click the **Start Searching** button on the Splunk administration panel.
* When you click the **Test Connection** button on the platform, you can see this request or other platform logs in the **Search** field on the Splunk administration panel.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://doc.keepnetlabs.com/next-generation-product/platform/company/company-settings/siem-integrations/splunk-integration.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.