Splunk
In case this is the first HEC (HTTP Event Collector) you will configure for your account, make sure that the Event Collector is enabled.
Follow the below steps
1 Go to Dashboard > Audit > Streamers.
2 Click on Splunk.
3 The "How to" tab will appear, providing a step-by-step guide for the configuration setup.
4 Click on Configuration.
5 Toggle the enable button for Enabled Splunk. This action will reveal a set of configuration.
Configuration
(*) Indicates that the action is mandatory.
| Configuration | Description |
|---|---|
| *Splunk Domain | Enter the domain name of your Splunk instance with HEC enabled (e.g., prd-p-XXXXX.splunkcloud.com). |
| *Splunk Token | Provide your Splunk event collector token. To obtain this token, go to Splunk > Settings > Data Inputs > HTTP Event Collector, add a new action. Enter a name, create a new source type with "MAIN" as the Index, review, and submit to generate the token. |
| Splunk Port | Specify the port of your HEC. Default: 8088. |
| Send Admin Events | Enable this option to transmit admin events. |
| Event Types | Choose event types from the dropdown menu to be sent to the specified topic. |
The streamer will be automatically disabled if the Splunk servers are unreachable or experiencing issues.
6 After providing the necessary configurations. Click on SAVE.
7 Then, click on TEST CONFIGURATION to verify that the configuration is correct. If the test is successful, you will see LIVE displayed next to Splunk.