- 30 Jan 2023
- 2 Minutes to read
- DarkLight
Splunk
- Updated on 30 Jan 2023
- 2 Minutes to read
- DarkLight
The Splunk integration enables you to trigger workflows with Splunk alerts and to perform searches and create alerts as part of a workflow.
Use Splunk to trigger Torq workflows
In order to ingest Splunk Enterprise alerts as events in Torq, you need to create a generic Webhook integration in Torq and use the generated webhook URL (Torq endpoint) to configure an alert in Splunk. The alert data is sent via the webhook to Torq as a trigger event.
Configure a Webhook integration in Torq
- Go to Integrations > Triggers.
- Locate Webhook and click Add.
- Type a meaningful name for the integration instance, for example, Splunk-Receiver, and click Add.
- Locate the integration and copy the URL link. You will need this when you create the alert in Splunk.
Create a test workflow
The test workflow will test whether Splunk alerts are being ingested in Torq. For the test workflow, we'll add the webhook that we created previously as the trigger.
- In Torq, go to Workflows and click Create Workflow.
- Type a meaningful name for the workflow, such as Splunk Events Test.
- Click the trigger icon and select Webhook.
- Select the webhook you created and configured in Splunk.
- Save the workflow.
Create an alert in Splunk
To create an alert, you'll define and run a Splunk query and save that query as an alert. This alert will be sent via webhook to Torq as a trigger event, either in real-time or on a schedule.
- Sign in to your Splunk instance.
- From the home page, click Search & Reporting.
- Enter a search query in the search bar and run the search. For this example, we'll use the search query source="udp:514" sourcetype="syslog".
- Save the search as an alert.
- Fill in the save alert form.
- Enter a meaningful title, for example, Send alerts to Torq.
- In the Trigger Actions section click Add Actions and select Webhook.
- Enter the webhook URL (Torq endpoint) that you created earlier and click Save.
- In the Webhook configuration window click Create New Webhook.
- Enter a meaningful name for the integration.
- Enter the Webhook URL (Torq endpoint) that you generated earlier.
Use Splunk steps in a Torq workflow
To use Splunk steps in Torq workflows, you have to create a Splunk steps integration, which requires a Splunk Enterprise API token.
Create a Splunk API token
For more information about Splunk tokens, see the Splunk documentation.
- Sign in to your Splunk tenant.
- Click Settings > Tokens. If this is your first time using tokens, you might have to enable token authentication.
- Click New Token and configure the token parameters and then click Create. In our example, the token will expire in 30 days.
Create a Splunk Enterprise integration in Torq
- Go to Integrations > Steps.
- Locate the Splunk Enterprise card and click Add.
- Type a meaningful name for the integration instance.
- Enter the API token that you generated in your Splunk tenant.
- Enter the URL of your Splunk tenant (including port).
- Click Add.