# Splunk

{% hint style="info" %}
This integration is currently in beta.
{% endhint %}

This integration allows you to route notifications about issues, changes, and other events to your Splunk instance based on your configuration, enabling unified security monitoring across your environment.

## **Splunk Setup**

Before configuring the integration in Halo Security, you'll need to set up an HTTP Event Collector in Splunk:

1. In your Splunk instance, navigate to **Settings → Data inputs → HTTP Event Collector → Add New**
2. Enter a name for your data input (e.g., "Halo Security")
3. Select the allowed indexes where data will be stored (e.g., "main")
4. After creating the HTTP Event Collector, make note of the:
   1. Token Value that is generated
   2. Splunk server hostname
   3. HTTP Event Collector port (default: 8088)

## Connect Splunk

1. Visit your *Settings → Integrations →* [Add](https://app.halosecurity.com/user/settings/integrations/add)
2. Add the Splunk integration
3. Enter a name for the integration
4. Click **Save**
5. Add the following infromation from the Splunk HTTP Event Collector you set up:
   1. Splunk Server
   2. Splunk Server Host
   3. Splunk Server Port
6. Click **Save Changes**

## Create Profiles

After connecting Splunk, you can create profiles to control how data is sent to your Splunk instance. Each profile specifies configuration details for the Splunk connection. To create a profile:

1. Navigate to the **Profiles** tab
2. Click the **+** icon
3. Enter a name for the profile
4. Configure the following settings:
   * **Profile Name**: A name for the profile.
   * **Splunk Index**: The Splunk index where events will be stored (must match an allowed index from Splunk setup)
5. Click **Save**

You can create multiple profiles to route different types of events to different Splunk indexes.

## Create Event Rules

To send data to Splunk, create Event Rules and add your Splunk profile as an action. Visit *Events → Event Rules* to set up rules that determine which events are sent to Splunk.

Learn more about configuring Event Rules at:

{% content-ref url="../../platform/events/alerts" %}
[alerts](https://docs.halosecurity.com/docs/platform/events/alerts)
{% endcontent-ref %}

## Using the Integration

Once configured, events matching your criteria will automatically be sent to your Splunk instance. You can search for these events in Splunk using queries like:

```
index=main source="http:Halo Security"
```

To filter for specific [event types](https://docs.halosecurity.com/docs/platform/events/event-types):

```
index=main source="http:Halo Security" custom_details.key="issue-add"
```