Setup Splunk
Configure Splunk to receive logs from Logcannon. Data is transmitted via Splunk HEC (HTTP Event Collector). See Supported Destinations for platform overview and version compatibility.
Prerequisites
- A Splunk instance with HEC enabled
- An HEC token with write permissions
- An index created in Splunk (or use an existing one)
Step 1: Enable HEC in Splunk
- Log into your Splunk instance
- Navigate to Settings → Data Inputs → HTTP Event Collector
- Click New Token to create a new HEC token
- Configure the token:
- Set a name (e.g., "logcannon")
- Select the index where logs should be stored
- Enable the token
- Copy the token value - you'll need it for Logcannon configuration
Step 2: Configure in Logcannon
| Parameter | Description | Example |
|---|---|---|
| Splunk Web UI URL | URL for Splunk's web interface. Cloud/reverse-proxy: same URL for web and ingestion. Self-hosted: include port 8000; logcannon uses 8088 for data ingestion. | https://splunk.example.com:8000https://inputs-xxx.splunkcloud.com |
| Splunk Address (optional) | If HEC uses a different URL than the web UI, enable "Use separate Splunk address" and provide it. | https://splunk.example.com:8088 |
| Splunk Token | The HEC token from Step 1. Stored encrypted. | — |
| Index | Splunk index for logs. Must match the index in your HEC token. | — |
Step 3: Test Connection
Use the "Test Connection" button in Logcannon to verify your configuration. This will send a query to your Splunk instance to ensure everything is working correctly.