Splunk

The Splunk integration enables you to trigger workflows with Splunk alerts and to perform searches and create alerts as part of a workflow.

Use Splunk to trigger Torq workflows

In order to ingest Splunk Enterprise alerts as events in Torq, you need to create a generic Webhook integration in Torq and use the generated webhook URL (Torq endpoint) to configure an alert in Splunk. The alert data is sent via the webhook to Torq as a trigger event.

Configure a Webhook integration in Torq

1. Go to Integrations > Triggers.
2. Locate Webhook and click Add.
3. Type a meaningful name for the integration instance, for example, Splunk-Receiver, and click Add.
4. Locate the integration and copy the URL link. You will need this when you create the alert in Splunk.

Create a test workflow

The test workflow will test whether Splunk alerts are being ingested in Torq. For the test workflow, we'll add the webhook that we created previously as the trigger.

1. In Torq, go to Workflows and click Create Workflow.
2. Type a meaningful name for the workflow, such as Splunk Events Test.
3. Click the trigger icon and select Webhook.
4. Select the webhook you created and configured in Splunk.
5. Save the workflow.

Create an alert in Splunk

To create an alert, you'll define and run a Splunk query and save that query as an alert. This alert will be sent via webhook to Torq as a trigger event, either in real-time or on a schedule.

 IMPORTANT

By default, real-time alerts in Splunk Cloud is disabled. You need to contact Splunk to enable the feature. Splunk Cloud also supports sending alerts on a schedule.

1. Sign in to your Splunk instance.
2. From the home page, click Search & Reporting.
3. Enter a search query in the search bar and run the search. For this example, we'll use the search query source="udp:514" sourcetype="syslog".
4. Save the search as an alert.
   
5. Fill in the save alert form.
   1. Enter a meaningful title, for example, Send alerts to Torq.
   2. In the Trigger Actions section click Add Actions and select Webhook.
   3. Enter the webhook URL (Torq endpoint) that you created earlier and click Save.
6. In the Webhook configuration window click Create New Webhook.
   1. Enter a meaningful name for the integration.
   2. Enter the Webhook URL (Torq endpoint) that you generated earlier.

Use Splunk steps in a Torq workflow

To use Splunk steps in Torq workflows, you have to create a Splunk steps integration, which requires a Splunk Enterprise API token.

IMPORTANT

After you create the token, it will appear in the Token field. Make sure you copy it because it will not be accessible after you close the window.

Create a Splunk API token

For more information about Splunk tokens, see the Splunk documentation.

1. Sign in to your Splunk tenant.
2. Click Settings > Tokens. If this is your first time using tokens, you might have to enable token authentication.
3. Click New Token and configure the token parameters and then click Create. In our example, the token will expire in 30 days.

Create a Splunk Enterprise integration in Torq

1. Go to Integrations > Steps.
2. Locate the Splunk Enterprise card and click Add.
3. Type a meaningful name for the integration instance.
4. Enter the API token that you generated in your Splunk tenant.
5. Enter the URL of your Splunk tenant (including port).
6. Click Add.