Setting up Log Streaming for Splunk
Overview
Splunk is a data platform that allows companies to analyze any structure data, from any source, across any timescale. Splunk not only makes it easy for companies to understand the health of their system in terms of performance and traffic. It also offers robust SIEM and SOAR (Security Orchestration, Automation, and Response) capabilities via Splunk Enterprise Security and Splunk Phantom, covering monitoring, detection, investigation of security threats, and automation of workflows.
What you’ll prepare
A target index for audit events (e.g.,
fenixpyre_audit)A HEC token bound to that index
Your HEC endpoint URL
(Trial stacks only) TLS note if your trial uses port 8088 with a non-public cert (we cover what to tell us)
HEC is Splunk’s HTTP/HTTPS ingestion method. Steps are identical in Splunk Web across Cloud/Enterprise. Check splunk docs
Identify your HEC endpoint (URL format)
Use the pattern that matches your environment:
Splunk Cloud (standard/managed)
https://http-inputs-<your_stack>.splunkcloud.com/services/collector/event(port 443)Splunk Cloud (some trials)
https://<your_stack>.splunkcloud.com:8088/services/collector/event(port 8088). Ifhttp-inputs-…is not available on your trial, 8088 is often enabled.Splunk Enterprise (self-hosted)
https://<your_host>:8088/services/collector/event(default HEC port is 8088).
HEC event ingestion endpoints are
/services/collector/event(JSON “event” wrapper) or/services/collector/raw(raw text). We’ll use/eventfor structured JSON.
Create (or choose) an index
In Splunk Web, go to Settings → Indexes → New Index.
Name it (e.g.,
fenixpyre_audit) and Save.Note the index name; you’ll bind it to the token.
(Any index works; dedicated is recommended for access control and retention management.)
Enable HEC & create a token
Enable HEC (if needed) Settings → Data Inputs → HTTP Event Collector → Global Settings → Enabled (and leave SSL/TLS on).
Create a HEC token Settings → Data Inputs → HTTP Event Collector → New Token, then:
Name:
fenixpyre-hec(or similar)Source type:
fenixpyre:audit(orjson)Index: select your index (e.g.,
fenixpyre_audit)Allowed Indexes: ensure your target index is allowed
Indexer acknowledgment: OFF (leave disabled unless you explicitly require ack & channel handling)
Click Save and copy the token value (a long GUID).
Why keep indexer ack off? If ack is on but no HEC channel is used, senders see “Data channel is missing (code=10)” and data won’t index.
Confirm your HEC URL + token with curl
curlReplace placeholders and run:
# For Splunk Cloud (standard, 443)
curl -s https://http-inputs-<your_stack>.splunkcloud.com/services/collector/event \
-H "Authorization: Splunk <YOUR_HEC_TOKEN>" \
-d '{"event":{"hello":"fenixpyre-test"},"sourcetype":"fenixpyre:audit","index":"fenixpyre_audit"}'# For Splunk Cloud trial (if :8088 works for you)
curl -s -k https://<your_stack>.splunkcloud.com:8088/services/collector/event \
-H "Authorization: Splunk <YOUR_HEC_TOKEN>" \
-d '{"event":{"hello":"fenixpyre-test"},"sourcetype":"fenixpyre:audit","index":"fenixpyre_audit"}'Expected response:
{"text":"Success","code":0}Splunk Cloud environments enforce a max HEC request size ~1 MB by default, so keep payload batches small. (Cribl is pre-tuned for this when we set it up.)
Verify in Splunk Search
In the Search & Reporting app, run:
index=fenixpyre_audit | head 10You should see your test event(s). If nothing appears, check the index, token status, and endpoint you used.
Share these details with FenixPyre Support
Send the following (no screenshots needed for now):
HEC endpoint URL (pick the one that works for your stack):
Splunk Cloud standard:
https://http-inputs-<your_stack>.splunkcloud.com/services/collector/eventSplunk Cloud trial (if applicable):
https://<your_stack>.splunkcloud.com:8088/services/collector/event
HEC token (value from the token you created)
Index name (e.g.,
fenixpyre_audit)Sourcetype (e.g.,
fenixpyre:audit)
(FenixPyre Support will configure Cribl with safe defaults, including body size ≤ 1 MB.)
Last updated
Was this helpful?