Skip to main content

Splunk Cloud Platform

Splunk is a data analytics platform that enables organizations to search, monitor, and analyze machine-generated data. The Splunk Cloud Platform connector enables you to access Splunk's HTTP Event Collector (HEC) API to send event data to Splunk, check HEC health status, and manage HEC tokens. This connector is particularly useful for applications that need to ingest log data, send events to Splunk for analysis, monitor system health, or integrate application data with Splunk for security and operational analytics.

Splunk Cloud Platform icon

Power end-to-end data operations for your Splunk Cloud Platform API with Nexla. Our bi-directional Splunk Cloud Platform connector is purpose-built for Splunk Cloud Platform, making it simple to ingest data, sync it across systems, and deliver it anywhere — all with no coding required. Nexla turns API-sourced data into ready-to-use, reusable data products and makes it easy to send data to Splunk Cloud Platform or any other destination. With comprehensive monitoring, lineage tracking, and access controls, Nexla keeps your Splunk Cloud Platform workflows fast, secure, and fully governed.

Features

Type: API

SourceDestination

  • Seamless API Integration: Connect to any endpoint as source or destination without coding, with automatic data product creation
  • Visual Composition & Chaining: Build complex integrations using visual templates, chain API calls, and compose workflows with data validation and filtering
  • API Proxy: Expose curated slices of your data securely with a secure and customizable API proxy that validates and transforms data on the fly
  • Request optimization with intelligent batching, retry, and caching to minimize API calls and costs

Prerequisites

Before creating a Splunk Cloud Platform credential, you'll need to obtain an HTTP Event Collector (HEC) token from your Splunk instance. Splunk uses HEC tokens for authenticating HTTP Event Collector API requests, which allow you to send event data to Splunk.

To obtain a Splunk HEC token:

  1. Log in to your Splunk instance. This could be Splunk Cloud Platform, Splunk Enterprise, or your organization's Splunk deployment.

  2. Navigate to Settings > Data Inputs > HTTP Event Collector in the Splunk web interface.

  3. If HTTP Event Collector is not enabled, click Global Settings and enable Enable HTTP Event Collector. Then click Save.

  4. Click New Token to create a new HEC token for your application.

  5. Fill in the token configuration:

    • Name: Enter a descriptive name for the token (e.g., "Nexla Integration")
    • Description: Optionally enter a description for the token
    • Source type: Select or enter the source type for your events (e.g., _json for JSON events)
    • Index: Select the index where events should be stored
    • App context: Select the app context if needed
  6. Click Next to review the token settings, then click Submit to create the token.

  7. Copy the Token Value immediately after creation, as it may only be displayed once for security purposes. Store it securely, as you'll need it to authenticate API requests.

  8. Note your Splunk HEC Base URL. This is typically in the format:

    • Splunk Cloud: https://http-inputs-{yourinstance}.splunkcloud.com:443
    • Splunk Enterprise: https://{your-splunk-server}:8088 (or your configured HEC port)

Splunk HEC tokens are used as Bearer tokens in the Authorization header for all HTTP Event Collector API requests. The token value is sensitive information and should be kept secure. If you've lost your token, you can view it again in the HTTP Event Collector settings, or create a new token if needed. The token must be prefixed with "Splunk " in the Authorization header (e.g., Splunk {token_value}).

For detailed information about Splunk HTTP Event Collector authentication and token management, refer to the Splunk HTTP Event Collector Documentation and Splunk HEC REST API Endpoints.

Authenticate

Credentials required

An authentication method that requires sending a unique secret token with each API request on Splunk

FieldRequiredSecretDescription
API Key ValueYesYesAn encoded string value used as a secret token to authenticate API requests on Splunk
Base URLYesNoURL of the Splunk HTTP Event Collector server, including protocol and port.

Create a credential in Nexla

  1. After selecting the data source/destination type, click the Add Credential tile to open the Add New Credential overlay.

New Credential Overlay – Splunk Cloud Platform

SplunkCPCred.png
  1. Enter a name for the credential in the Credential Name field and a short, meaningful description in the Credential Description field.

  2. In the API Key Value field, enter the HEC token value that you obtained from your Splunk instance. This is the token used to authenticate requests to the Splunk HTTP Event Collector API.

  3. In the Base URL field, enter the base URL for your Splunk HTTP Event Collector server, including the protocol (https://) and port. Common examples include:

    • Splunk Cloud: https://http-inputs-{yourinstance}.splunkcloud.com:443
    • Splunk Enterprise: https://{your-splunk-server}:8088

    The API key (HEC token) is sensitive information and should be kept secure. If you've lost your token, you can view it again in the HTTP Event Collector settings in your Splunk instance. The token is used in the Authorization header with the format Splunk {token_value} for all API requests.

  4. Click the Save button at the bottom of the overlay. The newly added credential will now appear in a tile on the Authenticate screen during data source/destination creation.

Use as a data source

To create a new data flow, navigate to the Integrate section, and click the New Data Flow button. Select the Splunk Cloud Platform connector tile, then select the credential that will be used to connect to the Splunk API, and click Next; or, create a new Splunk Cloud Platform credential for use in this flow.

Endpoint templates

Nexla provides pre-built templates that can be used to rapidly configure data sources to ingest data from common Splunk HEC API endpoints. Select the endpoint from which this source will fetch data from the Endpoint pulldown menu. Available endpoint templates are listed in the expandable boxes below.

Check HEC Health (/services/collector/health)

This endpoint retrieves HEC health status using Splunk's collector API. Use this endpoint when you need to check the health of your HTTP Event Collector, verify connectivity, or monitor HEC status.

  • This endpoint automatically retrieves the health status from your Splunk HEC instance. No additional configuration is required beyond selecting this endpoint template.

The Check HEC Health endpoint uses GET requests to retrieve health status from the Splunk HTTP Event Collector API. This is a simple endpoint useful for testing connectivity and verifying that your Splunk HEC is running correctly. For more information about the Check HEC Health endpoint, refer to the Splunk HEC REST API Documentation.

Once the selected endpoint template has been configured, click the Test button to the right of the endpoint selection menu to retrieve a sample of the data that will be fetched. Sample data will be displayed in the Endpoint Test Result panel on the right, allowing you to verify that the source is configured correctly before saving.

Manual configuration

Splunk Cloud Platform data sources can also be manually configured to ingest data from any valid Splunk API endpoint, including endpoints not covered by the pre-built templates, chained API calls, or custom request parameters. Select the Advanced tab at the top of the configuration screen, and follow the instructions in Connect to Any API to configure the API method, endpoint URL, date/time and lookup macros, path to data, metadata, and request headers.

Splunk HEC API endpoints typically follow the pattern {base_url}/services/collector/{endpoint}, where {base_url} is your Splunk HEC base URL configured in the credential. Common Splunk HEC endpoints include /services/collector/health for health checks. The Authorization header containing Splunk {token} is automatically included from your credential, so you do not need to add it as a request header.

Once all of the relevant settings have been configured, click the Create button in the upper right corner of the screen to save and create the new Splunk Cloud Platform data source. Nexla will now begin ingesting data from the configured endpoint and will organize any data that it finds into one or more Nexsets.

Use as a destination

Click the + icon on the Nexset that will be sent to the Splunk Cloud Platform destination, and select the Send to Destination option from the menu. Select the Splunk Cloud Platform connector from the list of available destination connectors, then select the credential that will be used to connect to the Splunk instance, and click Next; or, create a new Splunk Cloud Platform credential for use in this flow.

Endpoint templates

Nexla provides pre-built templates that can be used to rapidly configure destinations to send data to common Splunk HEC API endpoints. Select the endpoint to which data will be sent from the Endpoint pulldown menu. Then, click on the template in the list below to expand it, and follow the instructions to configure additional endpoint settings.

Send JSON Event (/services/collector)

This endpoint sends JSON events using Splunk's HTTP Event Collector API. Use this endpoint when you need to send structured JSON event data to Splunk for indexing and analysis.

  • This endpoint accepts JSON data in the request body. The data should include event fields and metadata. Each record will be sent as a separate API request.
  • Ensure your data includes the required fields for Splunk events, including event data and optional metadata like index, sourcetype, source, and host.

This endpoint uses POST method for sending JSON events. The endpoint accepts JSON data in the request body and does not support batch mode by default, so each record will be sent as a separate API request. For more information about the Send JSON Event endpoint, refer to the Splunk HEC REST API Documentation.

Send S2S Data (/services/collector/s2s)

This endpoint sends S2S (Server-to-Server) event data using Splunk's cloud collector API. Use this endpoint when you need to send event data in batch mode for improved performance.

  • This endpoint accepts JSON data in the request body and supports batch mode. Multiple events can be sent in a single request for improved performance.
  • Ensure your data includes the required fields for Splunk events, including event data and optional metadata.

This endpoint uses POST method for sending S2S event data. The endpoint supports batch mode, allowing multiple events to be sent in a single request. For more information about the Send S2S Data endpoint, refer to the Splunk HEC REST API Documentation.

Send Raw Data (/services/collector/raw/1.0)

This endpoint ingests raw event data using Splunk's collector API. Use this endpoint when you need to send raw text or log data to Splunk for indexing.

  • This endpoint accepts raw text data in the request body. The data should be in plain text format, suitable for Splunk indexing.
  • Query parameters can be used to specify index, sourcetype, and other metadata for the raw data.

This endpoint uses POST method for sending raw data. The endpoint accepts text/plain content type and is useful for sending log files or raw text data to Splunk. For more information about the Send Raw Data endpoint, refer to the Splunk HEC REST API Documentation.

Once the selected endpoint template has been configured, click the Test button to the right of the endpoint selection menu to send a sample of the data. The response will be displayed in the Endpoint Test Result panel on the right, allowing you to verify that the destination is configured correctly before saving.

Manual configuration

Splunk Cloud Platform destinations can also be manually configured to send data to any valid Splunk API endpoint. Select the Advanced tab at the top of the configuration screen, and follow the instructions in Connect to Any API to configure the API method, data format, endpoint URL, request headers, request body template, attribute exclusions, record batching, and response webhooks.

Splunk HEC API endpoints typically follow the pattern {base_url}/services/collector/{endpoint}, where {base_url} is your Splunk HEC base URL configured in the credential. Common Splunk HEC endpoints include /services/collector for JSON events, /services/collector/s2s for S2S data, and /services/collector/raw/1.0 for raw data. The Authorization header containing Splunk {token} is automatically included from your credential, and Content-Type is typically set to application/json for JSON events or text/plain for raw data. For most Splunk ingestion endpoints, the default request body template {message.json} sends the entire record as JSON; Splunk HEC endpoints typically accept JSON event data with optional metadata fields like index, sourcetype, source, and host.

Save & activate

Once all endpoint settings have been configured, click the Done button in the upper right corner of the screen to save and create the destination. To send the data to the configured Splunk Cloud Platform endpoint, open the destination resource menu, and select Activate.

The Nexset data will not be sent to the Splunk Cloud Platform endpoint until the destination is activated. Destinations can be activated immediately or at a later time, providing full control over data movement.