# Setting up Log Streaming for Splunk

### Overview

Splunk is a data platform that allows companies to analyze any structure data, from any source, across any timescale. Splunk not only makes it easy for companies to understand the health of their system in terms of performance and traffic. It also offers robust SIEM and SOAR (Security Orchestration, Automation, and Response) capabilities via Splunk Enterprise Security and Splunk Phantom, covering monitoring, detection, investigation of security threats, and automation of workflows.

### What you’ll prepare

* A **target index** for audit events (e.g., `fenixpyre_audit`)
* A **HEC token** bound to that index
* Your **HEC endpoint URL**
* (Trial stacks only) TLS note if your trial uses port **8088** with a non-public cert (we cover what to tell us)

> HEC is Splunk’s HTTP/HTTPS ingestion method. Steps are identical in Splunk Web across Cloud/Enterprise. [Check splunk docs](https://docs.splunk.com/Documentation/Splunk/latest/Data/UsetheHTTPEventCollector)

***

### Identify your HEC endpoint (URL format)

Use the pattern that matches your environment:

* **Splunk Cloud (standard/managed)** `https://http-inputs-<your_stack>.splunkcloud.com/services/collector/event` (port 443)&#x20;
* **Splunk Cloud (some trials)** `https://<your_stack>.splunkcloud.com:8088/services/collector/event` (port 8088). If `http-inputs-…` is not available on your trial, 8088 is often enabled.
* **Splunk Enterprise (self-hosted)** `https://<your_host>:8088/services/collector/event` (default HEC port is 8088).&#x20;

> [Check Splunk Docs](https://help.splunk.com/en/splunk-cloud-platform/get-started/get-data-in/9.3.2408/get-data-with-http-event-collector/http-event-collector-rest-api-endpoints)
>
> HEC event ingestion endpoints are `/services/collector/event` (JSON “event” wrapper) or `/services/collector/raw` (raw text). We’ll use `/event` for structured JSON.&#x20;

***

### Create (or choose) an index

1. In **Splunk Web**, go to **Settings → Indexes → New Index**.
2. Name it (e.g., `fenixpyre_audit`) and **Save**.
3. Note the index name; you’ll bind it to the token.

*(Any index works; dedicated is recommended for access control and retention management.)*

***

### Enable HEC & create a token

1. **Enable HEC (if needed)** **Settings → Data Inputs → HTTP Event Collector → Global Settings → Enabled** (and leave **SSL/TLS** on).<br>

   <figure><img src="/files/6SCpKp8QrbqesAVDssVQ" alt=""><figcaption></figcaption></figure>
2. **Create a HEC token** **Settings → Data Inputs → HTTP Event Collector → New Token**, then:
   * **Name:** `fenixpyre-hec` (or similar)
   * **Source type:** `fenixpyre:audit` (or `json`)
   * **Index:** select your index (e.g., `fenixpyre_audit`)
   * **Allowed Indexes:** ensure your target index is allowed
   * **Indexer acknowledgment:** **OFF** (leave disabled unless you explicitly require ack & channel handling)&#x20;
3. Click **Save** and copy the **token value** (a long GUID).

> Why keep indexer ack off? If ack is on but no HEC **channel** is used, senders see **“Data channel is missing (code=10)”** and data won’t index.&#x20;

***

### Confirm your HEC URL + token with `curl`

Replace placeholders and run:

```bash
# For Splunk Cloud (standard, 443)
curl -s https://http-inputs-<your_stack>.splunkcloud.com/services/collector/event \
  -H "Authorization: Splunk <YOUR_HEC_TOKEN>" \
  -d '{"event":{"hello":"fenixpyre-test"},"sourcetype":"fenixpyre:audit","index":"fenixpyre_audit"}'
```

```bash
# For Splunk Cloud trial (if :8088 works for you)
curl -s -k https://<your_stack>.splunkcloud.com:8088/services/collector/event \
  -H "Authorization: Splunk <YOUR_HEC_TOKEN>" \
  -d '{"event":{"hello":"fenixpyre-test"},"sourcetype":"fenixpyre:audit","index":"fenixpyre_audit"}'
```

Expected response:

```
{"text":"Success","code":0}
```

> Splunk Cloud environments enforce a **max HEC request size \~1 MB** by default, so keep payload batches small. (Cribl is pre-tuned for this when we set it up.)&#x20;

***

### Verify in Splunk Search

In the **Search & Reporting** app, run:

```spl
index=fenixpyre_audit | head 10
```

You should see your test event(s). If nothing appears, check the index, token status, and endpoint you used.

***

### Share these details with FenixPyre Support

Send the following (no screenshots needed for now):

* **HEC endpoint URL** (pick the one that works for your stack):
  * Splunk Cloud standard: `https://http-inputs-<your_stack>.splunkcloud.com/services/collector/event`
  * Splunk Cloud trial (if applicable): `https://<your_stack>.splunkcloud.com:8088/services/collector/event`
* **HEC token** (value from the token you created)
* **Index name** (e.g., `fenixpyre_audit`)
* **Sourcetype** (e.g., `fenixpyre:audit`)

*(FenixPyre Support will configure Cribl with safe defaults, including body size ≤ 1 MB.)*&#x20;


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.fenixpyre.com/fenixpyre-for-admins/admin-dashboard/log-streaming/setting-up-log-streaming-for-splunk.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.