Splunk
- Overview
- Setup
- Data & mappings
- Operations & API
- Changelog
The Splunk Connector integrates with a Splunk Enterprise / Splunk Cloud instance through the Splunk REST API. It synchronizes data by executing a configured SPL (Search Processing Language) search: the connector creates a search job, waits for the job to finish, and retrieves the paginated search results. Each result row is mapped to a Brinqa Connector Object whose attributes are derived dynamically from the fields returned by the search, so the synced data model adapts to whatever the configured search produces.
Data retrieved from Splunk
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| Result | Yes | (Dynamic / Search Result) |
For detailed steps on how to view the data retrieved from Splunk in the Brinqa Platform, see How to view your data.
Attributes for this model are derived dynamically from the Splunk search results — all fields returned by the search are added as attributes. Collection values are multi-valued; others are single-valued.
Connection settings
When setting up a data integration, select Splunk from the Connector dropdown and provide the following:
| Setting | Required | Default | Description |
|---|---|---|---|
| Server URL | Yes | https://<server>:8089 | Splunk server URL |
| Username | Yes | (none) | Splunk account username |
| Password | Yes | (none) | Splunk account password |
| Page size | No | 100 | Maximum number of records to get per API request |
| Parallel requests | No | min(4, processors) | Maximum number of parallel API requests |
| SSL / TLS | No | false | Skip certificate verification |
Authentication
The connector authenticates to the Splunk REST API using HTTP Basic authentication. The configured username and password are sent as preemptive Basic credentials on every request (the connector primes its auth cache so the Authorization header is included on the first call rather than waiting for a 401 challenge).
There is no separate token-exchange step — the same Basic credentials are reused on the search-job creation, job-status, and results requests.
Connection Test / Authenticated Request
| Method | URL |
|---|---|
GET | {baseUrl}/services/search/jobs |
The connection test issues an authenticated GET against the search jobs endpoint with count=1 and output_mode=json; a successful (2xx) response confirms the credentials and connectivity.
Request Headers
| Header | Value | Description |
|---|---|---|
Authorization | Basic base64(username:password) | HTTP Basic credentials, sent preemptively |
Accept | application/json | JSON responses are requested via output_mode |
Sample Request
GET /services/search/jobs?count=1&output_mode=json HTTP/1.1
Host: <splunk-host>:8089
Authorization: Basic YWRtaW46********
Sample Response
{
"links": {},
"origin": "https://<splunk-host>:8089/services/search/jobs",
"paging": { "total": 0, "perPage": 1, "offset": 0 },
"entry": []
}
Response Fields
| Field | Description |
|---|---|
origin | The canonical URL of the search jobs endpoint |
paging | Pagination metadata (total jobs, page size, offset) |
entry | List of existing search jobs (empty/limited for the test request) |
How the Credential Is Used
The Basic credentials are attached to every subsequent request — creating a search job (POST), polling job status (GET), and fetching results (GET). No session token or cookie is stored; each call carries the Authorization header.
Sync Behavior
The connector supports incremental (delta) syncs. It maintains a sync token between runs and applies it as an incremental timestamp filter, so each run re-processes only the records that changed after the previous sync. The initial run retrieves the complete data set; later runs are incremental. The specific timestamp field applied to each object is documented under that object's Sync Duration Parameter.
How to obtain Splunk credentials
Obtain the required credentials (url, username, password, search) from your Splunk administrator or the Splunk admin console, then enter them in the connection settings above.
Attribute mappings
Expand the sections below to view the mappings between the source and the Brinqa data model attributes:
Result
| Source Field Name | SDM Attribute |
|---|---|
Computed (MD5 of result values) | UID |
results[*] fields | (dynamic attributes) |
Operations & API
Expand each connector object to see its operation options, delta-sync behavior, and the API it uses. See connector operation options for how to apply operation options (keys and values are case-sensitive).
Result
Operation options
This object does not support any operation options.
Delta sync
Supported.
API
- Type: SPL (Splunk Search Processing Language) over the Splunk REST search-jobs API · Endpoint:
POST /services/search/jobs - Default filters:
earliest_time(sync token as ISO-8601, or-24hwhen no token),latest_time=now,output_mode=json
Changelog
The Splunk connector has undergone the following changes:
| Version | Description | Migration Steps |
|---|---|---|
| 3.0.2 | Improvements - Added connector documentation describing the supported search-result model, attribute mapping, and sync behavior to help with onboarding and configuration. | N/A |
| 3.0.1 | Improvements - Maintenance release with internal packaging and release updates. No functional changes. | N/A |
| 3.0.0 | Overview The Splunk connector integrates with Splunk Enterprise / Splunk Cloud through the Splunk REST API to synchronize data produced by a configured SPL (Search Processing Language) search. Each row returned by the search is synced as a record whose attributes are derived dynamically from the fields the search returns, so the synced data adapts to whatever the configured search produces. Category: Security Analytics Models | N/A |