Skip to main content

Splunk Connector

Enterprise Deployment

This feature is available for Enterprise deployments only. If you’d like to get started, please contact support@loginid.io for further details.

The Splunk Connector allows you to stream real-time LoginID event data directly into your Splunk instance. It enables push-based delivery of authentication events through the HTTP Event Collector (HEC) interface. You can use these pushed events to create reports, charts, and alerts with Splunk.

Prerequisites

  • Access to a running Splunk instance with HEC enabled.
  • Your Splunk HEC endpoint URL.
  • A valid HEC token generated from your Splunk instance.

Splunk Configuration

Creating HEC Token

  1. Log in to your Splunk instance.

    Navigate to:
    Settings → Data Inputs → HTTP Event Collector → + Add New

  2. Create a new HEC token.

    • Provide a name (e.g., LoginID Connector)
    • Note the token value — you will need it in the LoginID configuration.
    • Optionally, enable SSL if your instance uses HTTPS.
    • You can optionally define a Source Type to help categorize LoginID events in Splunk.

Formatting HEC URI

This setup provides a quick way to get your Splunk configuration running. For detailed instructions on enabling the HTTP Event Collector in Splunk, refer to the Splunk Documentation.

  1. Form your Splunk HEC URI.

    • The URI follows this format:

      <protocol>://<splunk-host>:<port>

      • For the protocol, you may also use HTTP (instead of HTTPS) if SSL is disabled on your HEC global settings.

      • The Splunk host is the domain of your Splunk instance.

      • Port 8088 is the default port used by Splunk’s HTTP Event Collector (HEC) to receive event data. If your Splunk instance is configured with a different port, update the URI accordingly.

    • For example:

      https://splunk.acme.local:8088

  2. Test your endpoint (optional). You can test connectivity using a curl command:

    curl -k https://splunk.acme.local:8088/services/collector/event \
      -H "Authorization: Splunk ${SPLUNK_TOKEN}" \
      -d '{"event": "test"}'

    The -k flag disables SSL certificate verification, which may be necessary if your Splunk instance uses a self-signed certificate.

    If you receive a response like { "text": "Success", "code": 0 }, your endpoint and token are valid.

Configure in LoginID

Once your HEC token and URI are ready, configure the connector on the LoginID Dashboard.

  1. Go to Applications → [Your App] → Connectors → New
  2. Select Splunk as the Connector Type.
  3. Fill out the required fields:
FieldDescription
NameA name to identify your Splunk connector (e.g., Splunk-Prod).
URIYour Splunk HEC endpoint, e.g. https://splunk.acme.local:8088.
Authorization TokenThe Splunk token generated in the previous step.
Index(Optional) The Splunk index for storing LoginID events.
  1. Click Create to save and activate your connector.

Once enabled, LoginID will immediately begin streaming real-time event data into your specified Splunk index.

Splunk Connector creation form in LoginID Dashboard

Monitoring and Validation

You can verify data ingestion within your Splunk instance:

  1. Open the Search & Reporting app.

  2. Run a query such as:

     index="<your_index>" source="<your_source_type>"

  3. You should see new events appearing as users interact with your application.