# Collect data from Splunk
{% hint style="info" %}
See the changelog of this Listener type [here](/listeners/splunk-hec-listener.md).
{% endhint %}
## Overview
Onum supports integration with **Splunk**.
The **Splunk HEC** Listener uses the Splunk HTTP Event Collector (HEC) API. The Listener receives events from Splunk forwarders or any client using the HEC protocol and forwards them to the processing Pipeline in Onum. These are the endpoints supported:
Endpoint
Method
Description
/services/collector
POST
JSON formatted events
/services/collector/raw
POST
Raw text events (batched by newline)
/services/collector/health
POST
Health check endpoint
If your source does not support mutual TLS (mTLS) encryption, use the **Splunk HEC no mTLS** Listener for TLS encryption without requiring mTLS. We always recommend using mTLS encryption for maximum security.
The steps to set up the Splunk HEC no mTLS Listener are the same as below, so you can follow this article.
### Important Considerations Regarding Cloud Deployments
* In cloud-based Onum installations, the TLS configuration section of the Listener is not visible and you won't need to enter these values. In these setups, Onum automatically manages TLS certificates, eliminating the need for manual configuration. If your Listener configuration requires you to manually enter these TLS certificates, you can generate them following the instructions in this article.
* If you are defining this Listener in a cloud instance, Onum will automatically provide the Port and TLS configuration (mTLS for the Splunk Listener, TLS for Splunk HEC no mTLS Listener).
* In cloud deployments, these Listeners have an additional step in their creation process: Network configuration. Use these details to configure your data source to communicate with Onum. Click Download certificate to get the required certificate for the connection. You can also download it from the Listener details once it is created.
* When configuring a Listener in a cloud tenant, the port will always be 443. In on-prem deployments, the selected port must fall within the range of 1024 to 10000.
* In cloud deployments, endpoints are created in Onum's DNS. This process is usually fast, and Listeners are normally available immediately. However, note that this may last up to 24-48 hours, depending on your organization's DNS configuration.
* Your data input must use the Server Name Indication (SNI) method, which means it must send its hostname in the TLS authentication process. If SNI is not used, the certificate routing will fail, and data will not be received, even if the certificate is valid.
Select **Splunk HEC** from the list of Listener types and click **Configuration** to start.
## Splunk Setup
You will need to create the required Splunk HEC token(s) for API authentication. Learn how to create and manage Splunk HEC tokens [in this article](https://help.splunk.com/en/splunk-enterprise/get-started/get-data-in/10.2/get-data-with-http-event-collector/set-up-and-use-http-event-collector-in-splunk-web).
## Onum Setup
{% stepper %}
{% step %}
Log in to your Onum tenant and click **Listeners > New listener**.
{% endstep %}
{% step %}
Double-click the **Splunk HEC** Listener.
{% endstep %}
{% step %}
Enter a **Name****\*** for the new Listener. Optionally, add a **Description** and some **Tags** to identify the Listener.
{% endstep %}
{% step %}
Enter the **Port****\*** you to listen on. The default value is `8088`.
{% endstep %}
{% step %}
Then choose the required authentication method:
* **Single API key** - Choose this option if you're using a single endpoint. Select your Splunk HEC token from the list of secrets or create a new one. To create a new secret, click the **Select an** **API Key** field and select **New secret**. In the window that appears, give your secret a **Name** and turn off the **Expiration date** toggle if not needed. Then, click **Add new value** and paste the token you generated. Click **Save** when you're done.
* **Multiple API keys** - Choose this option if you're using several endpoints and want to use only a single Listener. Click **+** **Add API key** and add as many Splunk HEC tokens as required. For each of them, enter the **Token name** and click **Select API key** to choose it from the list or secrets or create it.
{% hint style="info" %}
Learn more about secrets [in this article](/administration/global-settings/organization-settings/secrets-management.md).
{% endhint %}
{% endstep %}
{% step %}
In the **Advanced configuration** section, you can activate the following options:
In cloud-based Onum installations, the **TLS** configuration section is not visible. In these setups, Onum automatically manages **TLS** certificates, eliminating the need for manual configuration.
If you see this section, you must enter the required **Certificate**, **Private key** and **CA Chain.** Learn how to generate these self-signed certificates in [this article](https://docs.onum.com/usecases/routing/crowdstrike-integration/self-signed-ssl-tls-certificates-creation). Once you have them, click **New secret** in each field and add the corresponding values.
**Now there are two possible scenarios:**
If you didn't enter your **TLS** certificates, when you click **Create listener** you'll see the **Network configuration** screen, which shows the **Address** and **Port** needed to communicate with Onum. Here you will download the certificate (see the[ steps after creation to do this](#download-certificate)).
{% hint style="info" %}
You can access all this information in the Listener details after creation, so don't worry.
{% endhint %}
If you entered the TLS certificates, you'll go directly to the Labels when you eventually click **create Listener**.
* **Enable TLS** - Activate this option and configure the following settings if you need to configure TLS authentication:
* **Select minimum TLS version****\*** - Choose the required TLS version from the list.
* **Select type****\*** - Choose the required client authentication type from the list.
* **Select certificate****\*** - Select your certificate from the list of secrets or create a new one.
* **Select private key****\*** - Select your private key from the list of secrets or create a new one.
* **Skip TLS validations** - Decide whether to skip TLS validation or not.
* **Enable Acknowledgment** - The Splunk HEC acknowledgement endpoint (`/services/collector/ack`) allows clients to verify if events were successfully indexed by checking the status of `ackIDs`. However, keep in mind that the response lists all event IDs from the acknowledgment request, regardless of whether the events were received or processed.
{% endstep %}
{% step %}
Finally, click **Create labels**. Optionally, you can set labels to be used for internal Onum routing of data. By default, data will be set as **Unlabeled**. Click **Create listener** when you're done.
{% hint style="info" %}
Learn more about labels in [this article](https://docs.onum.com/the-workspace/listeners/labels).
{% endhint %}
{% endstep %}
{% step %}
Click **Create listener** when you're done.
{% endstep %}
{% endstepper %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.onum.com/the-workspace/listeners/listener-integrations/collect-data-from-splunk.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.