Skip to content

Splunk Integration

Option 1 - HTTP Event Collector (HEC)

1. Enable HEC in Splunk

In Splunk Web, go to Settings > Data Inputs > HTTP Event Collector and create a token. Note the token and HEC endpoint (typically https://splunk:8088/services/collector/event).

2. Configure in Trapster (Enterprise)

  1. Go to Settings > Integrations > Webhooks
  2. Click Add webhook
  3. Select type Splunk
  4. Enter your HEC URL and token
  5. Choose Incidents or Events as the trigger action
  6. Save

Use Send test event to verify delivery.

3. Configure in Trapster (Community)

Use the API logger:

json
"logger": {
  "output": "api",
  "format": "default",
  "kwargs": {
    "url": "https://your-splunk:8088/services/collector/event",
    "headers": {
      "Authorization": "Splunk <your-hec-token>"
    }
  }
}

Option 2 - Syslog

Forward CEF syslog to a Splunk Universal Forwarder or syslog input. See Syslog for Trapster-side configuration.

Splunk query examples

After events arrive:

index=main sourcetype=_json source=trapster
| stats count by channel, src_ip
| sort -count

Field names match the Trapster incident/event payload sent by the webhook.