Splunk (Audits)

Setup Splunk to receive audits.

Set up

1. Visit Admin → Connections and click New connection

Lenses.io Connection

2. Select Splunk

Splunk Connection

3. Provide a name and configuration

Lenses integrates with Splunk’s HTTP Event Collector API.

You must provide the host and port of the HTTP Event Collector endpoint of your Splunk installation. Additionally, you need to create a HTTP Event Collector Token within Splunk - this token must not have “Enable indexer acknowledgment” turned on.

Splunk Connection

Add channel

Next add one or multiple target Splunk channels.

1. Visit Admin → (Audits) Channels and click Splunk

Splunk audit channel

2. Setup the configuration options

Splunk audit details

For example the above will create the Splunk Audit channel, that will use the Splunk connection to create events in Splunk for all Lenses audits, with a Splunk event source value of lenses-audits.

An example

If for example you create a rule to send audits to Splunk, then the moment a new audit entry is added, an HTTP API call will be made to the Splunk endpoint.

Additional info

Users with the manage audit log permission can create audit channels.