Skip to main content

Splunk Cloud Platform Data Source

The Splunk Cloud Platform connector enables you to access Splunk's HTTP Event Collector (HEC) API to send event data to Splunk, check HEC health status, and manage HEC tokens. This connector is particularly useful for applications that need to ingest log data, send events to Splunk for analysis, monitor system health, or integrate application data with Splunk for security and operational analytics. Follow the instructions below to create a new data flow that ingests data from a Splunk Cloud Platform source in Nexla.
splunk_api.png

Splunk Cloud Platform

Create a New Data Flow

  1. To create a new data flow, navigate to the Integrate section, and click the New Data Flow button. Then, select the desired flow type from the list, and click the Create button.

  2. Select the Splunk Cloud Platform connector tile from the list of available connectors. Then, select the credential that will be used to connect to the Splunk API, and click Next; or, create a new Splunk Cloud Platform credential for use in this flow.

  3. In Nexla, Splunk Cloud Platform data sources can be created using pre-built endpoint templates, which expedite source setup for common Splunk HEC API endpoints. Each template is designed specifically for the corresponding Splunk API endpoint, making source configuration easy and efficient.
    • To configure this source using a template, follow the instructions in Configure Using a Template.

    Splunk Cloud Platform sources can also be configured manually, allowing you to ingest data from Splunk API endpoints not included in the pre-built templates or apply further customizations to exactly suit your needs.
    • To configure this source manually, follow the instructions in Configure Manually.

Configure Using a Template

Nexla provides pre-built templates that can be used to rapidly configure data sources to ingest data from common Splunk HEC API endpoints. Each template is designed specifically for the corresponding Splunk API endpoint, making data source setup easy and efficient.

Endpoint Settings

  • Select the endpoint from which this source will fetch data from the Endpoint pulldown menu. Available endpoint templates are listed in the expandable boxes below. Click on an endpoint to see more information about it and how to configure your data source for this endpoint.

    Check HEC Health (/services/collector/health)

    This endpoint retrieves HEC health status using Splunk's collector API. Use this endpoint when you need to check the health of your HTTP Event Collector, verify connectivity, or monitor HEC status.

    • This endpoint automatically retrieves the health status from your Splunk HEC instance. No additional configuration is required beyond selecting this endpoint template.

    The Check HEC Health endpoint uses GET requests to retrieve health status from the Splunk HTTP Event Collector API. This is a simple endpoint useful for testing connectivity and verifying that your Splunk HEC is running correctly. For more information about the Check HEC Health endpoint, refer to the Splunk HEC REST API Documentation.

Endpoint Testing

Once the selected endpoint template has been configured, Nexla can retrieve a sample of the data that will be fetched according to the current settings. This allows users to verify that the source is configured correctly before saving.

  • To test the current endpoint configuration, click the Test button to the right of the endpoint selection menu. Sample data will be fetched & displayed in the Endpoint Test Result panel on the right.

  • If the sample data is not as expected, review the selected endpoint and associated settings, and make any necessary adjustments. Then, click the Test button again, and check the sample data to ensure that the correct information is displayed.

Configure Manually

Splunk Cloud Platform data sources can be manually configured to ingest data from any valid Splunk API endpoint. Manual configuration provides maximum flexibility for accessing endpoints not covered by pre-built templates or when you need custom API configurations.

With manual configuration, you can also create more complex Splunk sources, such as sources that use chained API calls to fetch data from multiple endpoints or sources that require custom authentication headers or request parameters.

API Method

  1. To manually configure this source, select the Advanced tab at the top of the configuration screen.

  2. Select the API method that will be used for calls to the Splunk API from the Method pulldown menu. The most common methods are:

    • GET: For retrieving data from the API (health checks and status endpoints use GET)

API Endpoint URL

  1. Enter the URL of the Splunk API endpoint from which this source will fetch data in the Set API URL field. This should be the complete URL including the protocol (https://) and any required path parameters. Splunk HEC API endpoints typically follow the pattern {base_url}/services/collector/{endpoint}, where {base_url} is your Splunk HEC base URL configured in the credential.

Ensure the API endpoint URL is correct and accessible with your current credentials. You can test the endpoint using the Test button after configuring the URL. The endpoint URL should use the base URL configured in your credential. Common Splunk HEC endpoints include /services/collector/health for health checks.

Path to Data

Optional

If only a subset of the data that will be returned by API endpoint is needed, you can designate the part(s) of the response that should be included in the Nexset(s) produced from this source by specifying the path to the relevant data within the response. This is particularly useful when API responses contain metadata, pagination information, or other data that you don't need for your analysis.

Path to Data is essential when API responses have nested structures. Without specifying the correct path, Nexla might not be able to properly parse and organize your data into usable records. For Splunk API responses, common paths include $ for the entire response.

  • To specify which data should be treated as relevant in responses from this source, enter the path to the relevant data in the Set Path to Data in Response field.

    • For responses in JSON format enter the JSON path that points to the object or array that should be treated as relevant data. JSON paths use dot notation (e.g., $.data to access the data object).

Request Headers

Optional

  • If Nexla should include any additional request headers in API calls to this source, enter the headers & corresponding values as comma-separated pairs in the Request Headers field (e.g., header1:value1,header2:value2). Additional headers are often required for API versioning, content type specifications, or custom authentication requirements.

    You do not need to include any headers already present in the credentials. Common headers like Authorization, Content-Type, and Accept are typically handled automatically by Nexla based on your credential configuration. For Splunk, the Authorization header containing Splunk {token} is automatically included from your credential.

Endpoint Testing

After configuring all settings for the selected endpoint, Nexla can retrieve a sample of the data that will be fetched according to the current configuration. This allows users to verify that the source is configured correctly before saving.

  • To test the current endpoint configuration, click the Test button to the right of the endpoint selection menu. Sample data will be fetched & displayed in the Endpoint Test Result panel on the right.

  • If the sample data is not as expected, review the selected endpoint and associated settings, and make any necessary adjustments. Then, click the Test button again, and check the sample data to ensure that the correct information is displayed.

Save & Activate the Source

  1. Once all of the relevant steps in the above sections have been completed, click the Create button in the upper right corner of the screen to save and create the new Splunk Cloud Platform data source. Nexla will now begin ingesting data from the configured endpoint and will organize any data that it finds into one or more Nexsets.