Splunk

Connect Splunk to Sentry with the Data Forwarding feature.

Enabling HEC

To get started, you’ll need to first eanble the HTTP Event Collector:

Under Settings, select Data Inputs:

Select HTTP Event Collector under Local Inputs:

Under your HEC settings, click Global Settings:

Change “All Tokens” to “Enabled”, and note the HTTP Port Number (8088 by default):

<div class="alert" role="alert"><h5 class="no_toc">Note</h5><div class="alert-body content-flush-bottom"> <p>If you’re running Splunk in a privileged environment, you may need to expose the HEC port.</p> </div></div>

Creating a Sentry Input

Under HTTP Event Collector,create a new Sentry input by clicking “New Token”:

Enter a name (e.g. Sentry), and click “Next”:

Select the index you wish to make accessible (e.g. main), and click “Review”:

You’ll be prompted to review the input details. Click “Submit” to continue:

The input has now been created, and you should be presented with the Token Value:

Enabling Splunk Forwarding

To enable Splunk forwarding, you’ll need the following:

  • Your instance URL (see note below)
  • The Sentry HEC token value

In Sentry, navigate to the project you want to forward events from, and click “Project Settings”:

Navigate to “Data Forwarding”, and enable the Splunk integration:

You’re instance URL is going to vary based on the type of Splunk service you’re using. If you’re using self-service Splunk Cloud, the instance URL will use the input prefix:

https://input-<host>:8088

For all other Splunk Cloud plans, you’ll use the http-inputs prefix:

https://http-inputs-<host>:8088

If you’re using Splunk behind your firewall, you’ll need to fill in the appropriate host.

Once you’ve filled in the required fields, hit “Save Changes”:

We’ll now begin forwarding all new events into your Splunk instance.