# Splunk The content type use most often for a Splunk integration is **Alert**. You may be able to use some of the other content types when you have Splunk set up as a Data Source. We use the following endpoint to export Aisera Alerts (Events): ``` curl --location --request POST 'https://localhost:8089/services/search/v2/jobs/export' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --header 'Authorization: Basic c3B....' \ --data-urlencode 'search=search * | head 100' \ --data-urlencode 'output_mode=xml' ``` ## Integration Configuration To create a new Splunk integration: 1. Choose **Settings > Integration** in the Aisera Admin UI. 2. Click the **+ New Integration** button.

3. Select the Splunk icon. 4. Add a **Name** for the integration and type in the endpoint URL.

5. The Splunk integration supports **Basic** authorization. Provide a username and password. \ The port information is required, but will not be used. You can type any number is the Port field.

Choose the Auth Type and Add Basic Auth Information

## Data Source Configuration To create the Splunk Data Source: 1. Select **Settings > Data Source** in the Aisera Admin UI. 2. Click the **+ New Data Source** button. 3. Search for Splunk. 4. Choose the Splunk icon.

5. Give the data source a **Name**, select the Source **Type** (Upstream or Downstream), choose the name of the **Integration** you just created (in the previous steps), and set the **Schedule** configuration.

Choose the Type, Integration, and Schedule

6. Click **Next**. 7. Don't enter any values on the **Search Query** page in the **Configuration** tab. The Search Query on this page is ignored.

8. Click **OK**. 9. Provide the actual **Port Number** and the **Search Query** as an override configuration.

The example in the screenshot above is: ``` { "contextParameters": { "port": "8089", "search_query":"search * | head 100" } } ``` One easy option to fetch the last 100 events is: ``` search * | head 100 ``` You can find the official Splunk documentation on SPL2 (the query language that Splunk uses) at the following link: [**SPL2 Command Quick Reference**](https://help.splunk.com/en/splunk-cloud-platform/search/spl2-search-reference/quick-reference-for-spl2-commands/spl2-command-quick-reference) ### **Field Maps** The field maps for **Splunk Data Sources** may need to be manually configured, depending on the schema of the **Splunk Alerts**. Look at the [**Field Mapping**](https://docs.aisera.com/aisera-platform/data-ingestion#field-mapping) on the Data Sources page after the Alerts data has been ingested.