Knowledge base
Requests
Documentation
New Request
Find answers fast
Home
API Documentation

How to export logs to Splunk

Edited

  1. Create an index for the logs in Splunk

    1. Settings -> Data -> Indexes

    2. Click New Index and follow the walk through

  2. Create a new Splunk HEC input

    1. Settings -> Data -> Data Inputs

    2. Click "+ Add New" next to HTTP Event Collector

    3. Enter a name

    4. Select appropriate source type, or leave as automatic

    5. Select the index you created in step 1 as both allowable and default

    6. Copy the integration token

    7. If you are using Splunk on-prem, ask your Splunk admin for the HEC URL and port

  3. Configure the Smallstep webhook

    1. Go to settings -> Webhooks

    2. Create webhook

    3. Add a name, select log type, select POST

    4. For URL: it is VERY important that you send to the /raw endpoint. Sending to the straight collector endpoint will result in failures because the Smallstep webhook JSON does not format the way Splunk is expecting.

      1. On prem - use what your Splunk admin gives you

      2. Splunk Cloud - https://http-inputs-<host>.splunkcloud.com:443/services/collector/raw

    5. Auth type: Bearer

    6. Authorization: "Splunk <your-hec-token>" (for example, if your token is abcdef-1234-ghijkl, your auth string would be "Splunk abcdef-1234-ghijkl" without quotes)

Was this article helpful?

Sorry about that! Care to tell us more?

Thanks for the feedback!

There was an issue submitting your feedback
Please check your connection and try again.
Support Report
Privacy Policy