Splunk Integration

1. Configure an HTTP Event Collector in Splunk

Login to the Splunk Console
Go to Settings > Data Inputs

Splunk data inputs

Select HTTP Event Collector

Splunk http event collector

Click on New Token

Splunk new token

Enter form.
Name

Realm.Security

Splunk Config token form

Select an index to save data to or Create New Index

Splunk Select index

Click Review

Splunk Review add data form

Click Submit
Copy the token value and save it securely — you'll need it in the next section

Splunk Token value

🔗 Helpful Links

2. Configure an Output Feed in Realm

Create a Destination for Splunk:
- Use the Endpoint and Token obtained in the previous section
Add a new Output Feed:
- Set the Name (e.g., Splunk Output)
- Optionally add a Description
- Select Splunk as the method
- Enter the Endpoint
  Example:
```
https://http-inputs-<host>.splunkcloud.com
```

Note for Splunk Cloud Users
When configuring an Output Feed for Splunk Cloud, ensure your HEC endpoint follows this format:
https://http-inputs-<host>.splunkcloud.com
Failing to specify https can result in data being sent in an unexpected or unsupported format.
View Splunk’s official guidance

Paste the Token from the previous step
Choose the Format — we recommend starting with JSON or RAW unless otherwise specified

Troubleshooting

If data is not flowing through to Splunk

check if the Splunk token has permission to write to the configured index
check if there are any IP restrictions on Splunk ingestion ensure Realm IP range is allowed. Please contact Realm support to get a fixed IP range that can be whitelisted.