Skip to main content

Splunk

Integrate Splunk with Torq to trigger workflows from alerts and perform searches.

Updated over 2 weeks ago

Splunk is a data analytics and security platform that collects, indexes, and analyzes machine-generated data.

Did you know? Splunk has a dedicated App for Torq Log Insights!

Torq enables quick and easy integration with Splunk, so you can automate anything and everything within moments. Torq's public Splunk steps include:

  • Get Results from Search Job

  • Create New Search Job

  • Create Authentication Token

  • Update notable Event

  • +22 more...

If you don't see a step you need, you can create your own in various ways, such as using the Send an HTTP Request step or Torq’s Step Builder, and share it across your organization.

To trigger a Torq workflow based on events sent from Splunk, look here.

To use Splunk steps in Torq workflows, look here.

Use Splunk to Trigger Workflows in Torq

Step One: Create a Splunk Trigger Integration in Torq

  1. Navigate to Integration: Go to Build > Integrations > Triggers > Splunk and click Add.

  2. Fill in the Details:

    1. Give the integration a unique and meaningful name.

    2. (Optional) Under Authentication Headers click Add.

      1. Give the secret a name.

      2. Click Generate Random Secret.

      3. Copy the secret to use in Splunk.

  3. Finalize: Click Add.

Step Two: Configure the Webhook in Splunk

With Splunk Enterprise v9.0 and Splunk Cloud v8.2.2203, Splunk implemented additional security controls requiring the configuration of authorized URL endpoints to which a webhook alert action may be sent. To send an alert action webhook to Torq, ensure that the webhook allow list is updated.

Splunk Enterprise customers must adjust the [webhook] stanza of alert_actions.conf while Splunk Cloud customers may use Splunk Web to make the necessary changes. Splunk performs a regular expression match against URLs that appear in the allow list. If there is a string match, an alert is sent to the specified webhook URL.

Splunk recommends that when adding a URL to the webhook allow list, it be defined as completely as possible to achieve the most restrictive match.

Choose either of the following regex string matches:

  • To handle webhooks generated anywhere within the Torq ecosystem, configure https:\/\/(.*\.|)torq.io\/?.*\/

  • To allow only the precise webhook URL defined within Torq, specify your environment:

    1. https:\/\/(.*\.|)hooks.torq.io\/?.*\/ for US deployments, or

    2. https:\/\/(.*\.|)hooks.eu.torq.io\/?.*\/ for European deployments

For more information on this feature and how to configure it, consult your applicable Splunk Enterprise or Splunk Cloud documentation.

Step Three: Create an Alert in Splunk

To create an alert, you'll define and run a Splunk query and save that query as an alert. This alert will be sent via webhook to Torq as a trigger event, either in real time or on a schedule.

By default, real-time alerts in Splunk Cloud are disabled. Configure the alert as appropriate and supported in your environment. Splunk Cloud also supports sending alerts on a schedule. For more information, refer to Splunk's documentation (for Splunk Enterprise and Splunk Cloud).

  1. Navigate to Search: In your Splunk platform, go to your homepage and click Search & Reporting.

  2. Create a search: Enter a search query in the search bar and run the search. For this example, we'll use the search query source="udp:514" sourcetype="syslog".

  3. Save the alert: Save the search as an alert.

    Screenshot showing how to create and save a query as an alert in Splunk.

  4. Fill in the Save Alert form:

    1. Under Settings:

      1. Give the alert a unique and meaningful name.

      2. Give the alert an appropriate description.

      3. Set the appropriate permissions.

      4. In the Alert type section, choose if the alert will run in real-time or define the run schedule.

    2. Under Trigger Conditions, set the required conditions for your trigger.

    3. Under Trigger Actions:

      1. Click Add Actions and select Webhook.

      2. Enter the Splunk webhook URL (Torq endpoint) you created in step one.

  5. Finalize: Click Save

Now that you've successfully created a Splunk trigger, you can build your first Splunk-initiated workflow!

In Torq, go to Build > Workflows > Create a Workflow > New Blank Workflow, and select the trigger type: Integrations > Splunk. Find your new trigger, and automate away!

Use Splunk Steps in Torq

Step One: Create a Splunk API Token

  1. Log in: Sign in to your Splunk account.

  2. Create a new token: Click Settings > Tokens. Click New Token.

    1. If this is your first time using tokens, you might have to enable token authentication.

  3. Fill in the details: Configure the token parameters.

    1. User: The user who will receive the token.

    2. Audience: The purpose of the token.

    3. Expiration: Select the relevant expiry condition.

    4. Not before: This is the date from which the token can be used.

    5. Click Create to create the token.

    6. Save the token: After you create the token, it will appear in the Token field. Ensure you copy it because it will not be accessible once you close the window.

  4. Finalize: Click Close.

    Screenshot showing how to navigate to the page where you'll create an API key.

All Splunk integration steps will also work when using a Splunk Cloud integration, but the Splunk Cloud steps are unique to the Splunk Cloud integration.

Step Two: Configure ACL for Splunk Cloud

Splunk Cloud requires the configuration of its ACLs to allow access to the API port; adding Torq IPs to the Splunk Cloud IP allows rules for the search heads (SHC and ES Search head) via port 8089 (Splunk API).

Historically, this meant opening a ticket with Splunk or using Splunk's Admin Control Service (ACS) API. As of August 2024, Splunk simplified the configuration with a Splunk Web-based option for self-service configuration of IP-allow rules.

For additional information from Splunk on configuring the ACLs for Splunk Cloud, see the Configure IP allow lists for Splunk Cloud Platform - Splunk Documentation.

To perform search operations on Splunk Cloud:

  • Search head API access (by default, port 8089) to the applicable search head: https://[vanity URL].splunkcloud.com:8089

  • You may configure multiple integrations, one for each search head you wish to query, such as Enterprise Security, ITSI, and your search head cluster.

  • To send data to Splunk Cloud (such as Torq audit and activity logs):

    • HEC access (port 443 for Splunk Cloud, port 8088 by default for Splunk Enterprise) to the HEC endpoint: https://http-inputs-[vanity URL].splunkcloud.com

    • This requires the configuration of an HEC token separate from the API token used for performing search operations.

For more information about Splunk tokens, see the Splunk documentation.

Step Three: Create a Splunk Steps Integration in Torq

The following integration can be used for Splunk Enterprise and Splunk Cloud steps.

  1. Navigate to Integration: Go to Build > Integrations > Steps > Splunk Enterprise and click Add.

  2. Fill in the Details:

    1. Give the integration a unique and meaningful name.

    2. In the Splunk URL including port field, paste the URL for your Splunk platform.

    3. In the Splunk API token field, paste the Splunk token that you copied previously in step one.

  3. Test: Click Test Integration to verify the integration is configured correctly.

  4. Finalize: Click Add.

FAQs

Templates

Now that you've added your integrations, check out these specially crafted templates by Torq's security experts. Visit Torq's template library for more.

Related Articles
CrowdStrike
Orca Security
Thinkst Canary
Datadog
monday.com
Did this answer your question?