# Send data to Splunk
{% hint style="info" %}
See the changelog of the **Splunk HEC** Data sink type [here](/data-sinks/splunk-hec-data-sink.md).
{% endhint %}
## Overview
Onum supports integration with [Splunk HEC (HTTP Event Collector)](https://docs.splunk.com/Documentation/Splunk/latest/Data/UsetheHTTPEventCollector).
Splunk HEC is an interface that allows applications to send event data to Splunk directly via HTTP or HTTPS. Suppose you have an application that generates log events. Instead of writing these events to a log file and having Splunk read from there, you can configure Onum to send events directly to Splunk HEC. The application makes an HTTP POST request to Splunk HEC with the events in JSON format and the authentication token. Splunk receives these events in real-time, indexes them, and makes them available for immediate analysis.
## Prerequisites
### Create and Configure an HEC Token
This is the authentication key that your sending application will use. You will obtain a unique, 32-character Token Value (a GUID).
When creating the token, you must specify:
* Source Type: How the data should be processed and rendered (e.g., `_json`, `access_combined`, etc.).
* Default Index: The index where the events received via this token will be stored (e.g., `main`, `security`, `custom_app_data`). This index must already exist.
### Secure Communication (Recommended)
Enable SSL/TLS in the HEC Global Settings and ensure you have the appropriate certificates installed.
## Onum Setup
{% stepper %}
{% step %}
Log in to your Onum tenant and click **Data Sinks> New Data sink**.
{% endstep %}
{% step %}
Double-click the **Splunk HEC** Sink.
{% endstep %}
{% step %}
Enter a **Name** for the new Data Sink. Optionally, add a **Description** and some **Tags** to identify the Sink.
{% endstep %}
{% step %}
Decide whether or not to include this Data sink info in the metrics and graphs of the [**Home**](/the-workspace/home.md) area.
{% endstep %}
{% step %}
Add the **Splunk instance URL****\***
* For on-premises deployments, this will be `://`
* In Cloud deployment setups, this will be `://http-inputs-.splunkcloud.com`
Find all your instances in **My Splunk > Instances**.
For the **Port****\***, if not specified, port `8088` is used by default.
{% endstep %}
{% step %}
Choose how to **Authenticate** your connection to Splunk.
* For **Basic** authentication, enter your **Username****\*** and **Password****\***. Select your password from the list of your tenant's [Secrets](/administration/global-settings/organization-settings/secrets-management.md) or create a new one. The username is the same as the one used to log in to the instance via the browser, and the password is the token value you'll use.
* Enter the **Channel** name to connect to. The channel is a **Globally Unique Identifier** (**GUID**) that Onum sends in an HTTP header (`X-Splunk-Request-Channel`) along with its events.
* For **Token** authentication, choose the required **Token****\***. Select your token from the list of your tenant's [Secrets](/administration/global-settings/organization-settings/secrets-management.md) or create a new one.
{% endstep %}
{% step %}
In the [Secrets](/administration/global-settings/organization-settings/secrets-management.md) area, **New secret** to create a new one:
* Give the secret a **Name**.
* Turn off the **Expiration date** option.
* Click **Add new value** and paste the corresponding value.
* Click **Save**.
{% hint style="info" %}
Learn more about secrets in Onum in [this article](/administration/global-settings/organization-settings/secrets-management.md).
{% endhint %}
You can now select the created secrets in the configuration.
{% endstep %}
{% step %}
Activate the **Bulk configuration** toggle if you want to allow bulk sending. Configure the following parameters:
* **Event time limit****\*** - If the bulk amount is not reached, enter the maximum time lapse between sends (in seconds). The minimum value is `1`.
Now, set the conditions to trigger bulk sending:
* **Event amount** - Enter the maximum number of events per batch. The minimum value is `1` and the maximum value is `15000` (default).
* **Event size** - Enter the maximum number of bytes in each batch. The minimum value is `1` and the maximum value is `5000000` (default).
{% endstep %}
{% step %}
Activate the **TLS configuration** toggle if you want to set a TLS connection. Configure the following parameters:
* **Minimum TLS version****\*** - Choose the minimum TLS version required for incoming connections.
* **Certificate****\*** - Select your CA certificate from the list of your tenant's [Secrets](/administration/global-settings/organization-settings/secrets-management.md) or create a new one.
* **Private key****\*** - Select your private key from the list of your tenant's [Secrets](/administration/global-settings/organization-settings/secrets-management.md) or create a new one.
By default, the **Skip TLS validations** toggle is activated. Deactivate it to configure the following:
* **CA chain****\*** - CA chain used by the Data sink to verify client certificates. Choose it from the list of your tenant's [Secrets](/administration/global-settings/organization-settings/secrets-management.md) or create a new one.
* **Subject Alternative Name** - Optionally, enter a Subject Alternative Name (SAN) for your TLS connection.
{% endstep %}
{% step %}
If your organization uses proxy servers, activate the **Proxy configuration** toggle and establish the connection here:
* **Scheme****\*** - Choose the required proxy scheme (**HTTP** or **HTTPS**).
* **Host****\*** - Set the required proxy address.
* **Port****\*** - Set the required proxy port.
* **Username** - Enter your proxy username.
* **Password** - Select your proxy password from the list of your tenant's [Secrets](/administration/global-settings/organization-settings/secrets-management.md) or create a new one.
{% endstep %}
{% step %}
Activate the **Use** **Gzip compression** toggle to allow using this type of compression.
{% endstep %}
{% endstepper %}
Click **Finish** when complete. Your new Data sink will appear in the **Data sinks** area list.
## Pipeline configuration
When it comes to using this Data Sink in a [Pipeline](/the-workspace/pipelines.md), you must configure the following output parameters. To do it, simply click the Data Sink on the canvas and select **Configuration**.
### Output configuration
Select the field to include in the output message. The data type must be `string`.
#### Event format
Choose whether to send the message in **JSON** or **Raw** format.
Set the following parameters in both:
* **Host** - Select the field that contains the host information. The data type must be `string`.
* **Source** - Select the field that contains the source information. The data type must be `string`.
* **Source type****\*** - Select the required source type to parse your data from the dropdown list. [See here for a comprehensive list.](https://docs.splunk.com/Documentation/Splunk/9.3.1/Data/Listofpretrainedsourcetypes)
* Choose **manual** if you don't have a specific source type to use.
* Select **none** to add a custom source type in the **Custom source type****\*** field that appears.
Learn how to create new source types [here](https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/Createsourcetypes).
* **Index** - Select the field that contains the index information. The data type must be `string`.
For **JSON**, you can **add fields** with name-value pairs to send in the JSON.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.onum.com/the-workspace/data-sinks/data-sink-integrations/send-data-to-splunk.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.