# Splunk

## Pre-installation configuration

Before you install a Spherical stack, you must first set up a **HTTP Event Collector** in your installation of **Splunk**.

1. For **Splunk Enterprise** or self-service **Splunk Cloud**, first go to 'Settings'.
2. Click 'Data inputs' and navigate to 'HTTP Event Collector'.
3. Click 'Global Settings'.&#x20;
4. Click the Enable button, and then click Save. (For more information, see "Enable HTTP Event Collector" in the Getting Data in the Splunk manual).&#x20;

   *Note: For managed Splunk Cloud, submit a support ticket to have the feature enabled.*&#x20;
5. Create at least one input token. You'll need this token later.

![Settings for Splunk Enterprise and self-service Splunk Cloud.](/files/-LuIakfvk3gLGAutYP4o)

![Data input settings.](/files/-LuIkGDzNQVi1Whz1DP4)

### Token

1. For Splunk Enterprise or self-service Splunk Cloud, click the 'Add New' button.&#x20;
2. Proceed through the 'Add Data' workflow until you've successfully created a token. \
   \&#xNAN;*(For more information, see 'Create an Event Collector' token in the 'Getting Data In' Splunk manual).*
3. For managed Splunk Cloud, submit a support ticket to create or manage a token.

![Configuring a new token for recieving HT](/files/-LuIbUleCeRS18XPJHI1)

### Splunk URL

In addition to an authorisation token, you also need a Splunk URL. This varies depending on your type of Splunk deployment.

*Enterprise:* `<protocol>://<host>:<port>/<endpoint>` \
\&#xNAN;*Managed Cloud:* `<protocol>://http-inputs-<host>:<port>/<endpoint>` \
\&#xNAN;*Self-Service Cloud:* `<protocol>://input-<host>:<port>/<endpoint>`

| Field    | Description                                                                                  |
| -------- | -------------------------------------------------------------------------------------------- |
| Protocol | Either HTTP or HTTPs                                                                         |
| Host     | The Splunk instance that runs HEC                                                            |
| Port     | The HEC port number, which is 8088 by default, but you can change in the HEC Global Settings |
| Endpoint | The HEC endpoint you want to use. Usually this is the `/services/collector` endpoint         |

Once you have got both a **Splunk URL** and a **Token**, you can go ahead and create a Spherical stack using CloudFormation.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://guide.sphericaldefence.com/guide/integrations/splunk.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.