Skip to main content
All CollectionsIntegrate Everything
Splunk
Splunk

Integrate Splunk with Torq to trigger workflows from alerts, execute searches, and set alerts within workflows.

Updated over a week ago

The Splunk integration enables you to trigger workflows with Splunk alerts to perform searches and create alerts as part of a workflow.

Use Splunk to Trigger Torq Workflows

To ingest Splunk Enterprise alerts as events in Torq, you must create a generic Webhook integration in Torq and use the generated webhook URL (Torq endpoint) to configure an alert in Splunk. The alert data is sent via the webhook to Torq as a trigger event.

Image showing how logs from various service to Splunk and how Torq ingests them as events.

Configure a Webhook Integration in Torq

  1. Go to Build > Integrations > Triggers > Webhook and click Add.

  2. Type a meaningful name for the integration instance, for example, Splunk-Receiver, and click Add.

  3. Locate the integration and copy the URL link. You will need this when you create the alert in Splunk.

Create an Alert in Splunk

To create an alert, you'll define and run a Splunk query and save that query as an alert. This alert will be sent via webhook to Torq as a trigger event, either in real time or on a schedule.

By default, real-time alerts in Splunk Cloud is disabled. You need to contact Splunk to enable the feature. Splunk Cloud also supports sending alerts on a schedule.

  1. Go to your Splunk homepage and click Search & Reporting.

  2. Enter a search query in the search bar and run the search. For this example, we'll use the search query source="udp:514" sourcetype="syslog".

  3. Save the search as an alert.

    Screenshot showing how to create and save a query as an alert in Splunk.

  4. Fill in the save alert form.

  5. Enter a meaningful title, for example, Send alerts to Torq.

  6. In the Trigger Actions section, click Add Actions and select Webhook.

  7. Enter the Splunk webhook URL (Torq endpoint) you created earlier and click Save.

    Screenshot showing how to configure a trigger action in Splunk.

Use Splunk Steps in a Torq Workflow

To use Splunk steps in Torq workflows, you must create a Splunk steps integration, which requires a Splunk Enterprise API token.

After you create the token, it will appear in the Token field. Ensure you copy it because it will not be accessible after you close the window.

Create a Splunk API Token

For more information about Splunk tokens, see the Splunk documentation.

  1. Sign in to your Splunk tenant.

  2. Click Settings > Tokens. If this is your first time using tokens, you might have to enable token authentication.

  3. Click New Token and configure the token parameters and then click Create. In our example, the token will expire in 30 days.

    Screenshot showing how to navigate to the page where you'll create an API key.

Create a Splunk Enterprise Integration in Torq

  1. Go to Build > Integrations > Steps > Splunk and click Add.

  2. Type a meaningful name for the integration instance. This cannot be changed later.

  3. Enter the API token that you generated in your Splunk tenant.

  4. Enter the URL of your Splunk tenant (including port).

  5. Click Add.

Related Articles
Jira
Orca Security
Thinkst Canary
New Relic
Datadog
Did this answer your question?