How to use App Connect with Splunk

Splunk is a software platform that is used for searching, monitoring, and analyzing machine-generated data in real time.

Supported product and API versions

To find out which product and API versions this connector supports, see Detailed System Requirements on the IBM Support page.

Connecting to Splunk

Complete the connection fields that you see in the App Connect Designer Connect > Applications and APIs page (previously the Catalog page) or flow editor. If necessary, work with your Splunk administrator to obtain these values.

Account name: Provide a meaningful name to your account that helps you to identify it.

BASIC: Server URL is the URL for the API server that makes runtime calls.; Username is the username that is used to access the Splunk instance.; Password is the password that is used to access the Splunk instance.; Set Allow self-signed certificates to true if you want to be able to accept self-signed certificates that are trusted and used only in a nonproduction environment. The default is false.; Override server URL is required if you want to connect to an endpoint in a private network by using the private network client, or if you want to override the server URL. Specify an override value for the host and port for the connector in the format <http or https>://<host_name>:<port>. If you're not using the private network client or don't need an override, don't enter a value in this field.; Private network connection Select the name of a private network agent that App Connect uses to connect to your private network. This list is populated with the names of private network agents that are created on the Private networks page. For more information, see Connecting to a private network.

BEARER TOKEN: Server URL is the URL for the API server that makes runtime calls.; Token is the token that is used to authenticate and authorize access to Splunk services.; Set Allow self-signed certificates to true if you want to be able to accept self-signed certificates that are trusted and used only in a nonproduction environment. The default is false.; Override server URL is required if you want to connect to an endpoint in a private network by using the private network client, or if you want to override the server URL. Specify an override value for the host and port for the connector in the format <http or https>://<host_name>:<port>. If you're not using the private network client or don't need an override, don't enter a value in this field.; Private network connection Select the name of a private network agent that App Connect uses to connect to your private network. This list is populated with the names of private network agents that are created on the Private networks page. For more information, see Connecting to a private network.

To obtain the connection values for Splunk, see Obtaining connection values for Splunk.

To connect to a Splunk endpoint from the App Connect Designer Applications and APIs page for the first time, expand Splunk, then click Connect. For more information, see Managing accounts.

Tip:

Before you use the account that is created in App Connect in a flow, rename the account to something meaningful that helps you to identify it. To rename the account on the Applications and APIs page, select the account, open its options menu (⋮), then click Rename Account.

General Considerations

Before you use App Connect Designer with Splunk, take note of the following considerations:

You can see lists of the trigger events and actions that are available on the Applications and APIs page of the App Connect Designer.
For some applications, the events and actions depend on the environment and whether the connector supports configurable events and dynamic discovery of actions. If the application supports configurable events, you see a Show more configurable events link under the events list. If the application supports dynamic discovery of actions, you see a Show more link under the actions list.
If you are using multiple accounts for an application, the set of fields that is displayed when you select an action for that application can vary for different accounts. In the flow editor, some applications always provide a curated set of static fields for an action. Other applications use dynamic discovery to retrieve the set of fields that are configured on the instance that you are connected to. For example, if you have two accounts for two instances of an application, the first account might use settings that are ready for immediate use. However, the second account might be configured with extra custom fields.

Post connection considerations

Take note of the following considerations after you connect to Splunk.

API usage limit

The API usage limit is set at 1000 API calls per IP address, with a reset interval of every 5 minutes. For more information, see Policy for API usage in Splunk Intelligence Management on the Splunk documentation page.

Generating an authentication token (HEC token) for the Send HEC data action

To use the Send HEC data action, you need to enter the HEC token in the Authorization field. To generate an HEC token, complete the following steps:

Log in to your Splunk Cloud account.
Go to Settings > Data inputs.
Click HTTP Event Collector.
Click New Token.
Enter a name for the token in the Name field.
Click Next.
Click Review.
Review your token details then click Submit.
Copy the token value and save it somewhere safe.

User permissions for accessing the application for the Retrieve and Create actions

During the discovery call for Retrieve and Create actions, you can select from a list of users and applications that are associated with your Splunk account. When you select a user, make sure that the application you choose is one that the selected user is authorized to access, as a list of all available applications is displayed.

Running a global application search

The following steps describe how to search across all applications in your Splunk account during the Retrieve and Create discovery calls.

Switch to Advanced mode.
Enter a hyphen (-) in the User and Application fields.

Events and Actions

Splunk events

These events are for changes in this application that trigger a flow to start completing the actions in the flow.

Note: Events are not available for changes in this application. You can trigger a flow in other ways, such as at a scheduled interval or at specific dates and times.

Splunk actions

Your flow completes these actions on this application.

Object	Action	Description
Applications	Retrieve all applications	Retrieves a list of all locally installed Splunk apps. Details like app name, version, and status are returned for each app.
HTTP Event Collector (HEC)	Retrieve HEC token by ID	Retrieve details for a specific HTTP Event Collector (HEC) token by providing its unique ID (token name) in the request. The response includes the token value and its configuration details. To run a global search, use \"-\" for both the app and user parameters.
	Retrieve HEC token	Retrieves a list of all HTTP Event Collector (HEC) tokens for the specified user and app context. Each token includes its value and configuration details, which are used to securely authenticate and send data to Splunk over HTTP or HTTPS. To retrieve all tokens, set both the user and app parameters to \"-\".
	Send HEC data	Send raw event data directly to Splunk by using HTTP(S). The data is parsed into events by using line-breaking rules. This operation requires a unique channel identifier in the request header.
Search	Create search job	Creates a new search job in Splunk for the specified user and app, allowing you to run and manage searches programmatically
Search	Retrieve searches by ID	Retrieves a list of search results for a specific search job by its ID
Users	Retrieve all users	Retrieves a list of all users in Splunk