> ## Documentation Index
> Fetch the complete documentation index at: https://docs.traversal.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Splunk

> Connect Splunk to run read-only log searches during investigations.

Connecting Splunk lets Traversal run read-only searches on your indexed logs and use the results as evidence during investigations.

## What Traversal reads

* **Logs** — search results from your indexed data via SPL queries

## Setup

<Steps>
  <Step title="Find your Splunk REST API base URL">
    Use the Splunk `splunkd` management URL over HTTPS, for example `https://splunk.mycompany.com:8089`.

    This should be the base URL before any `/services/...` path.

    In standard deployments, this is usually port `8089`. Do not use the Splunk Web UI URL if it points to a different port such as `8000`.

    <Info>
      **Splunk Cloud:** Port `8089` is not open by default. Ask your Splunk Cloud administrator to add the IP addresses that Traversal connects from to the IP allow list for the management port before the integration will work.
    </Info>
  </Step>

  <Step title="Choose an authentication method">
    <Tabs>
      <Tab title="Bearer token">
        Before you create a token:

        * Make sure token authentication is enabled in Splunk.
        * Your account must have a role with the `edit_tokens_own` capability to create tokens for yourself, or the `edit_tokens_all` capability to create tokens for any user on the instance.
        * The user the token is created for must already exist on that Splunk instance.
        * If your Splunk instance uses LDAP or SAML authentication, token creation can depend on your identity provider or directory configuration. Check with your Splunk administrator if token creation fails for an existing user.
        * Be ready to copy the full token immediately after you create it. Splunk only shows it once, and you cannot retrieve the full token later.

        1. In Splunk Web, sign in as a user who can create tokens.
        2. Go to **Settings > Tokens**.
        3. Click **New Token**.
        4. Create the token for a user with read access to the indexes Traversal should search.
        5. Click **Create** and copy the full token immediately. Splunk only shows it once.
      </Tab>

      <Tab title="Username and password">
        Use a Splunk user with read access to the indexes Traversal should search.

        Traversal signs in to Splunk and manages the session key automatically. You do not need to create or paste a session key yourself.
      </Tab>
    </Tabs>
  </Step>

  <Step title="Configure in Traversal">
    Go to **Company Knowledge > Integrations**, select Splunk, and enter the REST API base URL plus your chosen credentials.

    Click **Save**.

    If the integration does not work as expected, confirm that:

    * the URL points to the Splunk management API over HTTPS
    * the token or user has read access to the indexes Traversal should search
    * the URL does not already include a `/services/...` path
  </Step>
</Steps>

## More information

* [Splunk authentication tokens](https://help.splunk.com/en/splunk-enterprise/administer/manage-users-and-security/9.1/authenticate-into-the-splunk-platform-with-tokens/create-authentication-tokens#ariaid-title6)
* [Basic concepts about the Splunk platform REST API](https://help.splunk.com/en/splunk-enterprise/leverage-rest-apis/rest-api-user-manual/9.3/rest-api-user-manual/basic-concepts-about-the-splunk-platform-rest-api)