# Splunk

Splunk is a SIEM platform that detects security threats by correlating logs and events across the enterprise. Connecting Splunk forwards alert actions to Radiant Security over a webhook.&#x20;

### Prerequisites

* [ ] Admin or Power User access to Splunk
* [ ] Splunk Enterprise, Splunk Enterprise Security, or Splunk Cloud

### Add the data connector in Radiant Security

1. Sign in to [Radiant Security](https://app.radiantsecurity.ai/).
2. From the navigation menu, click **Settings** > **Data Connectors** and click **+ Add Connector**.
3. Search for and select **Splunk Webhook**, then click **Data Feeds**.
4. Click **Credentials**.
5. In the **Credential Name** field, enter an identifiable name for this credential (e.g., `Splunk - Credentials`).
6. Under **Required Credentials**, enter a value in the **Connector tag** field (e.g., `webhook_connector`).
7. Click **Add Connector**.
8. Open the newly created connector. Under **Vendor Configuration**, copy and save the `Webhook URL` value. You will need it in the Configure alert actions section.
9. Click **Add Connector** to save your changes.

### Configure the webhook allow list

Configure an allow list in Splunk so that Splunk can post to the Radiant webhook endpoint. The procedure depends on whether you use Splunk Enterprise or Splunk Cloud.

{% tabs %}
{% tab title="Splunk Enterprise" %}

1. In `$SPLUNK_HOME/etc/system/local`, edit the `alert_actions.conf` file. If `alert_actions.conf` does not exist, create it.
2. In the `[webhook]` section, add the following entry for Radiant Security:

```
   [webhook]
   allowlist.webhook1 = ^https:\/\/.*blastradius.*
   enable_allowlist = true
```

{% endtab %}

{% tab title="Splunk Cloud" %}

1. In Splunk Web, click **Settings** > **Server settings** > **Webhook allow list**.
2. Enter a label for the endpoint (e.g., `radiant_connector`).
3. Enter the following regex pattern for the URI:

```
   ^https:\/\/.*blastradius.*
```

{% endtab %}
{% endtabs %}

### Configure alert actions

1. Sign in to Splunk with an admin account.
2. Navigate to **Apps** > **Search & Reporting** > **Alerts**.
3. For each alert you want to forward to Radiant Security:
   * Click **Edit** > **Edit Alert**.
   * Scroll to **Trigger Actions**.
   * Click **Add Actions** and select **Webhook**.
   * In the **URL** field, enter the `Webhook URL` you copied from Radiant Security.
4. Click **Save**.

<div align="left"><figure><img src="/files/UCDFBehZKNErvAJEPYca" alt=""><figcaption></figcaption></figure></div>

### Verify ingestion

After Splunk begins forwarding, confirm alerts and events are reaching Radiant.

1. In Radiant, navigate to [Log Management](https://app.radiantsecurity.ai/logs).
2. Filter by `rs_connectorType:"splunk_webhook"`.
3. Confirm recent alerts and events appear.

{% hint style="info" %}
Allow several minutes for alerts and events to be parsed, indexed, and available for search.
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://help.radiantsecurity.ai/radiant-connectors/data-connectors/splunk.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.