Skip to main content

Splunk

Community-contributed integration

This integration is community-maintained. Reference: ory/integrates/siem-security-analytics/splunk.

Splunk provides log management and SIEM. Ingest Ory authentication events directly through Splunk's HTTP Event Collector (HEC), with no webhook handler needed.

How it works

An Ory Action POSTs directly to https://<splunk-host>:8088/services/collector/event with the Authorization: Splunk {$HEC_TOKEN} header. The body Jsonnet wraps the event in Splunk's HEC envelope.

Notable

  • For Splunk Enterprise Security, use CIM-compatible field names (user, src, action, app) so built-in correlation searches apply.
  • HEC accepts batched events (newline-delimited JSON) for high-volume products.
  • The Splunk Cloud endpoint format is https://http-inputs-<stack>.splunkcloud.com.

Resources

Ory Network

The largest Identity and Access Management network in the world. So you can get back to building your business.

Sign up for free