# Splunk The content type use most often for a Splunk integration is **Alert**. You may be able to use some of the other content types when you have Splunk set up as a Data Source. We use the following endpoint to export Aisera Alerts (Events): ``` curl --location --request POST 'https://localhost:8089/services/search/v2/jobs/export' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --header 'Authorization: Basic c3B....' \ --data-urlencode 'search=search * | head 100' \ --data-urlencode 'output_mode=xml' ``` ## Integration Configuration To create a new Splunk integration: 1. Choose **Settings > Integration** in the Aisera Admin UI. 2. Click the **+ New Integration** button.

3. Select the Splunk icon. 4. Add a **Name** for the integration and type in the endpoint URL.

5. The Splunk integration supports **Basic** authorization. Provide a username and password. \ The port information is required, but will not be used. You can type any number is the Port field.

Choose the Auth Type and Add Basic Auth Information

## Data Source Configuration To create the Splunk Data Source: 1. Select **Settings > Data Source** in the Aisera Admin UI. 2. Click the **+ New Data Source** button. 3. Search for Splunk. 4. Choose the Splunk icon.

5. Give the data source a **Name**, select the Source **Type** (Upstream or Downstream), choose the name of the **Integration** you just created (in the previous steps), and set the **Schedule** configuration.

Choose the Type, Integration, and Schedule

6. Click **Next**. 7. Don't enter any values on the **Search Query** page in the **Configuration** tab. The Search Query on this page is ignored.

8. Click **OK**. 9. Provide the actual **Port Number** and the **Search Query** as an override configuration.

The example in the screenshot above is: ``` { "contextParameters": { "port": "8089", "search_query":"search * | head 100" } } ``` One easy option to fetch the last 100 events is: ``` search * | head 100 ``` You can find the official Splunk documentation on SPL2 (the query language that Splunk uses) at the following link: [**SPL2 Command Quick Reference**](https://help.splunk.com/en/splunk-cloud-platform/search/spl2-search-reference/quick-reference-for-spl2-commands/spl2-command-quick-reference) ### **Field Maps** The field maps for **Splunk Data Sources** may need to be manually configured, depending on the schema of the **Splunk Alerts**. Look at the [**Field Mapping**](/aisera-platform/adding-data-to-your-tenant/data-ingestion.md#field-mapping) on the Data Sources page after the Alerts data has been ingested. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.aisera.com/aisera-platform/adding-data-to-your-tenant/integrations-and-data-sources/connectors/splunk.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.