Splunk Integration

The Splunk HTTP Event Collector (HEC) allows you to send data and application events to a Splunk distribution over HTTP and HTTPS protocols. The HEC uses a token-based authentication model.

The steps and guidance provided below will ensure a successful integration.

Integration Steps

From the left menu go to Company Settings > SIEM Integrations and click the + NEW button and provide the information requested.

Integration Name

SIEM configuration name.

History Logs

Select this option to ensure that all data in the audit log will be transferred to your SIEM solution.

If this feature is inactive, only the audit log data recorded after defining the SIEM integration will be transferred to your SIEM solution.

Integration Type

Select Splunk integration type.

URL

The URL address of your Splunk solution.

Secret Token

Define Secret Token.

Test Connection

Test the connection to be sure it works correctly.

How to Get the Splunk URL Address

To learn the URL address of the Splunk product, log in to the Splunk management console, then click Data Inputs in the Data field from the Settings section at the top. In the Data Inputs window that opens, click on HTTP Event Collector (HEC).

Click the Global Settings button in the upper right of the HTTP Event Collector page.
Retrieve the Splunk URL and the HTTP port number to be entered in the URL field of the platform.

How to Get Secret Token

Log in to the Splunk management console, then click Data Inputs in the Data field from the Settings section at the top. Next, click on HTTP Event Collector (HEC) in the Data Inputs window.

Click the New Token button on the upper right of the HTTP Event Collector (HEC) page.
Complete the Name field and click the Next button.
Click the Select button to apply the resource type specified in the Input Settings page to the data.
Choose select_json (JavaScript Object Notation format) from the Structured field of the window that opens.
Click the Review button. After verifying the selections in the Review field, click the Submit button.
After receiving a message indicating that the token has been created successfully, you can copy the Token Value created here and use it in the relevant field of the platform.

Control Phase

In order to make sure that the integration works and logs are being transferred from the platform to the Splunk product properly, a test is advised.

After performing the integration, click the Start Searching button on the Splunk administration panel.
When you click the Test Connection button on the platform, you can see this request or other platform logs in the Search field on the Splunk administration panel.

PreviousSIEM Integrations NextSyslog Integration

Last updated 2 years ago

Was this helpful?

Integration Steps

From the left menu go to Company Settings > SIEM Integrations and click the + NEW button and provide the information requested.

Integration Name

SIEM configuration name.

History Logs

Select this option to ensure that all data in the audit log will be transferred to your SIEM solution.

If this feature is inactive, only the audit log data recorded after defining the SIEM integration will be transferred to your SIEM solution.

Integration Type

Select Splunk integration type.

URL

The URL address of your Splunk solution.

Secret Token

Define Secret Token.

Test Connection

Test the connection to be sure it works correctly.

How to Get the Splunk URL Address

Click the Global Settings button in the upper right of the HTTP Event Collector page.

Retrieve the Splunk URL and the HTTP port number to be entered in the URL field of the platform.

How to Get Secret Token

Click the New Token button on the upper right of the HTTP Event Collector (HEC) page.

Complete the Name field and click the Next button.

Click the Select button to apply the resource type specified in the Input Settings page to the data.

Choose select_json (JavaScript Object Notation format) from the Structured field of the window that opens.

Click the Review button. After verifying the selections in the Review field, click the Submit button.

After receiving a message indicating that the token has been created successfully, you can copy the Token Value created here and use it in the relevant field of the platform.

Control Phase

In order to make sure that the integration works and logs are being transferred from the platform to the Splunk product properly, a test is advised.

After performing the integration, click the Start Searching button on the Splunk administration panel.

When you click the Test Connection button on the platform, you can see this request or other platform logs in the Search field on the Splunk administration panel.