Splunk Cloud Platform
Splunk is a data analytics platform that enables organizations to search, monitor, and analyze machine-generated data. The Splunk Cloud Platform connector enables you to access Splunk's HTTP Event Collector (HEC) API to send event data to Splunk, check HEC health status, and manage HEC tokens. This connector is particularly useful for applications that need to ingest log data, send events to Splunk for analysis, monitor system health, or integrate application data with Splunk for security and operational analytics.
Power end-to-end data operations for your Splunk Cloud Platform API with Nexla. Our bi-directional Splunk Cloud Platform connector is purpose-built for Splunk Cloud Platform, making it simple to ingest data, sync it across systems, and deliver it anywhere — all with no coding required. Nexla turns API-sourced data into ready-to-use, reusable data products and makes it easy to send data to Splunk Cloud Platform or any other destination. With comprehensive monitoring, lineage tracking, and access controls, Nexla keeps your Splunk Cloud Platform workflows fast, secure, and fully governed.
Features
Type: API
- Seamless API Integration: Connect to any endpoint as source or destination without coding, with automatic data product creation
- Visual Composition & Chaining: Build complex integrations using visual templates, chain API calls, and compose workflows with data validation and filtering
- API Proxy: Expose curated slices of your data securely with a secure and customizable API proxy that validates and transforms data on the fly
- Request optimization with intelligent batching, retry, and caching to minimize API calls and costs
Prerequisites
Before creating a Splunk Cloud Platform credential, you'll need to obtain an HTTP Event Collector (HEC) token from your Splunk instance. Splunk uses HEC tokens for authenticating HTTP Event Collector API requests, which allow you to send event data to Splunk.
To obtain a Splunk HEC token:
-
Log in to your Splunk instance. This could be Splunk Cloud Platform, Splunk Enterprise, or your organization's Splunk deployment.
-
Navigate to Settings > Data Inputs > HTTP Event Collector in the Splunk web interface.
-
If HTTP Event Collector is not enabled, click Global Settings and enable Enable HTTP Event Collector. Then click Save.
-
Click New Token to create a new HEC token for your application.
-
Fill in the token configuration:
- Name: Enter a descriptive name for the token (e.g., "Nexla Integration")
- Description: Optionally enter a description for the token
- Source type: Select or enter the source type for your events (e.g.,
_jsonfor JSON events) - Index: Select the index where events should be stored
- App context: Select the app context if needed
-
Click Next to review the token settings, then click Submit to create the token.
-
Copy the Token Value immediately after creation, as it may only be displayed once for security purposes. Store it securely, as you'll need it to authenticate API requests.
-
Note your Splunk HEC Base URL. This is typically in the format:
- Splunk Cloud:
https://http-inputs-{yourinstance}.splunkcloud.com:443 - Splunk Enterprise:
https://{your-splunk-server}:8088(or your configured HEC port)
- Splunk Cloud:
Splunk HEC tokens are used as Bearer tokens in the Authorization header for all HTTP Event Collector API requests. The token value is sensitive information and should be kept secure. If you've lost your token, you can view it again in the HTTP Event Collector settings, or create a new token if needed. The token must be prefixed with "Splunk " in the Authorization header (e.g., Splunk ).{token_value}
For detailed information about Splunk HTTP Event Collector authentication and token management, refer to the Splunk HTTP Event Collector Documentation and Splunk HEC REST API Endpoints.
Authenticate
Credentials required
An authentication method that requires sending a unique secret token with each API request on Splunk
| Field | Required | Secret | Description |
|---|---|---|---|
| API Key Value | Yes | Yes | An encoded string value used as a secret token to authenticate API requests on Splunk |
| Base URL | Yes | No | URL of the Splunk HTTP Event Collector server, including protocol and port. |
Create a credential in Nexla
- After selecting the data source/destination type, click the Add Credential tile to open the Add New Credential overlay.
New Credential Overlay – Splunk Cloud Platform

-
Enter a name for the credential in the Credential Name field and a short, meaningful description in the Credential Description field.
-
In the API Key Value field, enter the HEC token value that you obtained from your Splunk instance. This is the token used to authenticate requests to the Splunk HTTP Event Collector API.
-
In the Base URL field, enter the base URL for your Splunk HTTP Event Collector server, including the protocol (https://) and port. Common examples include:
- Splunk Cloud:
https://http-inputs-{yourinstance}.splunkcloud.com:443 - Splunk Enterprise:
https://{your-splunk-server}:8088
The API key (HEC token) is sensitive information and should be kept secure. If you've lost your token, you can view it again in the HTTP Event Collector settings in your Splunk instance. The token is used in the Authorization header with the format
Splunkfor all API requests.{token_value} - Splunk Cloud:
-
Click the Save button at the bottom of the overlay. The newly added credential will now appear in a tile on the Authenticate screen during data source/destination creation.
Use as a data source
To create a new data flow, navigate to the Integrate section, and click the New Data Flow button. Select the Splunk Cloud Platform connector tile, then select the credential that will be used to connect to the Splunk API, and click Next; or, create a new Splunk Cloud Platform credential for use in this flow.
Endpoint templates
Nexla provides pre-built templates that can be used to rapidly configure data sources to ingest data from common Splunk HEC API endpoints. Select the endpoint from which this source will fetch data from the Endpoint pulldown menu. Available endpoint templates are listed in the expandable boxes below.
Once the selected endpoint template has been configured, click the Test button to the right of the endpoint selection menu to retrieve a sample of the data that will be fetched. Sample data will be displayed in the Endpoint Test Result panel on the right, allowing you to verify that the source is configured correctly before saving.
Manual configuration
Splunk Cloud Platform data sources can also be manually configured to ingest data from any valid Splunk API endpoint, including endpoints not covered by the pre-built templates, chained API calls, or custom request parameters. Select the Advanced tab at the top of the configuration screen, and follow the instructions in Connect to Any API to configure the API method, endpoint URL, date/time and lookup macros, path to data, metadata, and request headers.
Splunk HEC API endpoints typically follow the pattern {base_url}/services/collector/{endpoint}, where {base_url} is your Splunk HEC base URL configured in the credential. Common Splunk HEC endpoints include /services/collector/health for health checks. The Authorization header containing Splunk is automatically included from your credential, so you do not need to add it as a request header.{token}
Once all of the relevant settings have been configured, click the Create button in the upper right corner of the screen to save and create the new Splunk Cloud Platform data source. Nexla will now begin ingesting data from the configured endpoint and will organize any data that it finds into one or more Nexsets.
Use as a destination
Click the + icon on the Nexset that will be sent to the Splunk Cloud Platform destination, and select the Send to Destination option from the menu. Select the Splunk Cloud Platform connector from the list of available destination connectors, then select the credential that will be used to connect to the Splunk instance, and click Next; or, create a new Splunk Cloud Platform credential for use in this flow.
Endpoint templates
Nexla provides pre-built templates that can be used to rapidly configure destinations to send data to common Splunk HEC API endpoints. Select the endpoint to which data will be sent from the Endpoint pulldown menu. Then, click on the template in the list below to expand it, and follow the instructions to configure additional endpoint settings.
Once the selected endpoint template has been configured, click the Test button to the right of the endpoint selection menu to send a sample of the data. The response will be displayed in the Endpoint Test Result panel on the right, allowing you to verify that the destination is configured correctly before saving.
Manual configuration
Splunk Cloud Platform destinations can also be manually configured to send data to any valid Splunk API endpoint. Select the Advanced tab at the top of the configuration screen, and follow the instructions in Connect to Any API to configure the API method, data format, endpoint URL, request headers, request body template, attribute exclusions, record batching, and response webhooks.
Splunk HEC API endpoints typically follow the pattern {base_url}/services/collector/{endpoint}, where {base_url} is your Splunk HEC base URL configured in the credential. Common Splunk HEC endpoints include /services/collector for JSON events, /services/collector/s2s for S2S data, and /services/collector/raw/1.0 for raw data. The Authorization header containing Splunk is automatically included from your credential, and Content-Type is typically set to {token}application/json for JSON events or text/plain for raw data. For most Splunk ingestion endpoints, the default request body template {message.json} sends the entire record as JSON; Splunk HEC endpoints typically accept JSON event data with optional metadata fields like index, sourcetype, source, and host.
Save & activate
Once all endpoint settings have been configured, click the Done button in the upper right corner of the screen to save and create the destination. To send the data to the configured Splunk Cloud Platform endpoint, open the destination resource menu, and select Activate.
The Nexset data will not be sent to the Splunk Cloud Platform endpoint until the destination is activated. Destinations can be activated immediately or at a later time, providing full control over data movement.