Skip to main content
Connecting Splunk lets Traversal run read-only searches on your indexed logs and use the results as evidence during investigations.

What Traversal reads

  • Logs — search results from your indexed data via SPL queries

Setup

1

Find your Splunk REST API base URL

Use the Splunk splunkd management URL over HTTPS, for example https://splunk.mycompany.com:8089.This should be the base URL before any /services/... path.In standard deployments, this is usually port 8089. Do not use the Splunk Web UI URL if it points to a different port such as 8000.
Splunk Cloud: Port 8089 is not open by default. Ask your Splunk Cloud administrator to add the IP addresses that Traversal connects from to the IP allow list for the management port before the integration will work.
2

Choose an authentication method

Before you create a token:
  • Make sure token authentication is enabled in Splunk.
  • Your account must have a role with the edit_tokens_own capability to create tokens for yourself, or the edit_tokens_all capability to create tokens for any user on the instance.
  • The user the token is created for must already exist on that Splunk instance.
  • If your Splunk instance uses LDAP or SAML authentication, token creation can depend on your identity provider or directory configuration. Check with your Splunk administrator if token creation fails for an existing user.
  • Be ready to copy the full token immediately after you create it. Splunk only shows it once, and you cannot retrieve the full token later.
  1. In Splunk Web, sign in as a user who can create tokens.
  2. Go to Settings > Tokens.
  3. Click New Token.
  4. Create the token for a user with read access to the indexes Traversal should search.
  5. Click Create and copy the full token immediately. Splunk only shows it once.
3

Configure in Traversal

Go to Company Knowledge > Integrations, select Splunk, and enter the REST API base URL plus your chosen credentials.Click Save.If the integration does not work as expected, confirm that:
  • the URL points to the Splunk management API over HTTPS
  • the token or user has read access to the indexes Traversal should search
  • the URL does not already include a /services/... path

More information