Splunk
Connect Splunk Enterprise or Splunk Cloud to SigSentry using a search head and authentication token
The Splunk adapter queries Splunk Enterprise and Splunk Cloud deployments via the REST search API. You'll need a reachable search head URL and an authentication token.
Prerequisites
| Need | Notes |
|---|---|
| Splunk search head URL | e.g. https://splunk.company.com:8089 (REST port, usually 8089) |
| Authentication token | Generated under Settings → Tokens |
| Indexes | The Splunk indexes SigSentry should query |
Setup walkthrough
Generate a Splunk authentication token
In Splunk Web, go to Settings → Tokens → New Token. Set:
| Field | Value |
|---|---|
| User | A user with search capability and read access to the relevant indexes |
| Audience | sigsentry (informational, helps with auditing) |
| Expiration | Set a real expiration; rotate periodically |
Copy the token — it's shown only once.
Tokens must be enabled at the system level under Settings → Tokens → Token Settings → Enable Token Authentication. If tokens are disabled in your deployment, ask an admin to enable them.
Add the log source in SigSentry
Project → Log Sources → Add log source. Pick Splunk and name
it descriptively, e.g. splunk-prod.
Enter connection details
| Field | Value |
|---|---|
| Host | Splunk REST URL, e.g. https://splunk.example.com:8089 |
| Token | The auth token you just generated |
Add indexes
Paste the indexes you want SigSentry to query, one per line:
main
prod_app_logs
api_gatewayOr use Splunk search expressions for finer scoping:
index=prod_app_logs sourcetype=json
index=api_gateway sourcetype=access_combinedTest and save
Click Test connection. You should see Connected plus sample lines from a small recent window. Click Save.
What you'll see in results
Each Splunk event shown in an analysis includes:
- Timestamp (from
_time) - Log level (from
severity,level, or parsed from_raw) - Service name (from
source,host, orsourcetype) - Message (from
_raw) - All other indexed fields carried through as metadata
Quirks
| Quirk | Notes |
|---|---|
| REST port | Default is :8089, not the web UI port (:8000) |
| TLS | Self-signed certs require either a public CA chain or pre-shared trust |
| Cloud vs Enterprise | Splunk Cloud uses https://<stack>.splunkcloud.com:8089; same auth model |
| Token vs basic auth | We support tokens only — basic auth (username + password) is deprecated |
Troubleshooting
| Error | Fix |
|---|---|
401 Unauthorized | Token expired or user lacks search permission |
404 Not Found | Wrong port (use :8089) or path issue |
SSL certificate verify failed | Splunk has a self-signed cert; install a real cert or contact support |
| Slow queries | Reduce indexes, narrow the search clause, or use sourcetype hints |