# Splunk Cloud Platform and Splunk Enterprise

Splunk Cloud Platform and Splunk Enterprise are data analytics platforms that collect, index, and analyze machine data from any source to deliver operational intelligence. They support ingesting OpenTelemetry data as events or metrics for real-time monitoring, search, and visualization. This guide explains how to integrate ThousandEyes data with Splunk Cloud Platform or Splunk Enterprise using OpenTelemetry.

## Prepare Your Splunk Instance

To configure ThousandEyes for Splunk, ensure that the **HTTP Event Collector (HEC)** is enabled in your Splunk instance. Follow these resources for more information:

* [Configure HTTP Event Collector on Splunk Cloud Platform](https://docs.splunk.com/Documentation/Splunk/latest/Data/UsetheHTTPEventCollector#Configure_HTTP_Event_Collector_on_Splunk_Cloud_Platform)
* [Configure HTTP Event Collector on Splunk Enterprise](https://docs.splunk.com/Documentation/Splunk/latest/Data/UsetheHTTPEventCollector#Configure_HTTP_Event_Collector_on_Splunk_Enterprise)

After enabling the **HTTP Event Collector (HEC)**, follow these steps to prepare your Splunk instance:

1. (Optional) Create an index to specify whether the data will be received as events or metrics. For detailed instructions on creating an index, see [Splunk: Set up multiple indexes](https://docs.splunk.com/Documentation/Splunk/latest/Indexer/Setupmultipleindexes).

   ![Index](https://1112912342-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-M4QARF6s57qxMrOHDTZ%2Fuploads%2Fgit-blob-12f3f9cb1f48a5f59e48dce3f4e368ca103e4b13%2Fsplunk-index.png?alt=media)
2. Create an HTTP Event Collector (HEC) token in your Splunk instance.
3. (Optional) Associate the token with the created index for data routing.
4. Identify the target endpoint. Use the appropriate target endpoint based on your Splunk deployment:
   * Splunk Cloud Platform:
     * `events`: `https://http-inputs-<host>.splunkcloud.com:443/services/collector/event`
     * `metrics`: `https://http-inputs-<host>.splunkcloud.com:443/services/collector`
   * Splunk Enterprise:
     * `events`: `https://<host>:8088/services/collector/event`
     * `metrics`: `https://<host>:8088/services/collector`

**Note**: ThousandEyes for OpenTelemetry currently does not support Splunk trial accounts due to an issue with TLS self-signed certificates.

## Create an Integration

### Create an Integration Using the ThousandEyes UI

You can use the ThousandEyes UI to create a connector and operation that streams telemetry data to Splunk Enterprise or Splunk Cloud Platform.

#### Step 1: Create a Connector

1. In the ThousandEyes platform, go to **Manage > Integrations > Integrations 2.0**.
2. Click **+ New Connector** to select the type of a connector to configure.
3. Click **Splunk Cloud Platform HEC** or **Splunk Enterprise HEC** depending on your target.

   ![Select Splunk HEC Connector](https://1112912342-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-M4QARF6s57qxMrOHDTZ%2Fuploads%2Fgit-blob-8cb5755374a4c57c22f4afd04897b7bf7a2042b3%2Fproduct-documentation_integration-guides_custom-built-integrations_splunk-connector_select.png?alt=media)
4. Fill out the following mandatory fields:
   * **Name**: A name for your connector.
   * **Target**: The target URL of the integration, which may include the port, such as `https://http-inputs-<host>.splunkcloud.com:443/services/collector/event` for Splunk Cloud Platform or `https://<splunk_hostname>/services/collector/event` for Splunk Enterprise.
   * **Note**: When you create a stream, the target URL must satisfy the [Stream endpoint URL requirements](https://docs.thousandeyes.com/product-documentation/integration-guides/opentelemetry/url-target-requirements).
   * **Token**: Enter the Splunk HEC token.

     ![Creating a ThousandEyes for OpenTelemetry to Splunk Enterprise connector](https://1112912342-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-M4QARF6s57qxMrOHDTZ%2Fuploads%2Fgit-blob-ac8e189b6ec203cddb6101bb725d65e8f7765a3c%2Fproduct-documentation_integration-guides_custom-built-integrations_splunk-enterprise-add-connector-view.png?alt=media)
5. Click **Save & Assign Operation** to save the connector. This connector is now visible in the list view (**Connectors** tab).

#### Step 2: Create an Operation

After you create a connector, set up an operation to stream data to the target and assign it to the connector.

1. Click **+ New Operation**.
2. Choose **Splunk Enterprise, Splunk Cloud Platform** to open the configuration form.
3. Complete the configuration form:
   * **Mandatory fields**:
     * **Operation Name**: A name for your operation.
   * **Optional fields**:
     * **Index**: Specify the [Index](https://docs.splunk.com/Documentation/Splunk/latest/Indexer/Aboutindexesandindexers) on your Splunk instance where the data will be stored.
     * **Source**: Define the [source](https://docs.splunk.com/Splexicon:Source) of the data.
     * **Source Type**: Specify the [source type](https://docs.splunk.com/Splexicon:Sourcetype) of the data.
     * **OpenTelemetry Signal**: Select how the telemetry data will be sent to the target. Possibles values are **Metric**, **Trace**, and **Log**.
     * **Integration Status**: Toggle the integration status to enable or disable the integration upon creation.
4. (Metric signal only) Under **Test Data Configuration**, configure what data is streamed by selecting tests and tags associated with your current account group:

   * **Network & App Synthetics Tests:** Select Network & App Synthetics test data available in your account group to stream to the target.
   * **Endpoint Experience Tests:** Select Endpoint Experience test data from your account group to stream to the target.
   * **Tags:** Select tags from your current account group to associate with the integration. Data from Network & App Synthetics tests and Endpoint Experience tests tagged with the same tags you select in this dropdown will be streamed to the configured target.

   For more information on creating a test, see [General Setup Instructions](https://docs.thousandeyes.com/product-documentation/integration-guides/opentelemetry/observability-platforms#general-setup-instructions).

#### Step 3: (Optional) Test Communication with the Target

You can test the connection to your target to ensure it is configured correctly.

1. Click **Test** at the bottom of the configuration form.
2. A test message is sent to the target to verify the connection.
   * If successful, a confirmation message appears.

     ![Test Success Message](https://1112912342-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-M4QARF6s57qxMrOHDTZ%2Fuploads%2Fgit-blob-806bbecfd60cea48f6a2d557063e231d2e48c50d%2Fproduct-documentation_integration-guides_custom-built-integrations_splunk-enterprise-test-success.png?alt=media)
   * If unsuccessful, an error message appears with details.

     ![Test Failure Message](https://1112912342-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-M4QARF6s57qxMrOHDTZ%2Fuploads%2Fgit-blob-fc1f9ceeab73a16ddac69253c84922d242fcbb77%2Fproduct-documentation_integration-guides_custom-built-integrations_splunk-enterprise-test-fail.png?alt=media)

#### Step 4: Save the Operation

Click **Save** to complete the integration. The operation is now visible in the **Operations** tab.

#### Manage Integrations in the UI

For more information on managing Splunk Observability Cloud or Enterprise OpenTelemetry integrations, including listing, editing, and deleting integrations, see [Manage Integrations Using the UI - Integrations 2.0](https://docs.thousandeyes.com/product-documentation/integration-guides/opentelemetry/manage-integrations#manage-integrations-using-the-ui-integrations-2.0).

### Create an Integration Using the ThousandEyes API

For a programmatic integration, use the following API command:

#### Metric Integration

```curl
curl -i -XPOST https://api.thousandeyes.com/v7/stream -H "Content-Type: application/json" -H "Authorization: Bearer $BEARER_TOKEN" -d '{
 "type": "splunk-hec",
 "testMatch": [
     {
       "id": "987654",
       "domain": "cea"
     }
 ],
 "endpointType": "http",
 "streamEndpointUrl": "https://http-inputs-{HOST}.splunkcloud.com:443/services/collector/event",
 "exporterConfig" : {
   "splunkHec": {
     "token": "{TOKEN}",
   }
 }
}'
```

#### Log Integration

```
curl -i -XPOST https://api.thousandeyes.com/v7/stream -H "Content-Type: application/json" -H "Authorization: Bearer $BEARER_TOKEN" -d '{
 "type": "splunk-hec",
 "signal": "log",
 "endpointType": "http",
 "streamEndpointUrl": "https://http-inputs-{HOST}.splunkcloud.com:443/services/collector/event",
 "exporterConfig" : {
   "splunkHec": {
     "token": "{TOKEN}",
   }
 }
}'
```

When you create a stream from Splunk Enterprise or Splunk Cloud, ensure the following:

* The `type` is `"splunk-hec"`.
* The `endpointType` is `"http"` .
* `exporterConfig.splunkHec.token` is set to the value of *Splunk HEC Token*.
* In case you had created an index and it is associated with the HEC token, when creating a stream, specify the name of the index in the `exporterConfig.splunkHec.index` field.
* The `streamEndpointUrl` satisfies the [Stream endpoint URL requirements](https://github.com/thousandeyes/docs/blob/prod/product-documentation/integration-guides/opentelemetry/observability-platforms/?tab=t.oye8wuujbh7v).
* The `signal` can be `metric`, `trace`, or `log`. If not specified, it defaults to `metric`.

## Receiving data in Splunk

Now, you can start receiving ThousandEyes data in Splunk products

### Receiving ThousandEyes data as events

Search using the Query `source=ThousandEyesOTel` or the index `index="thousandeyes_otel_events_index"`.

![Search in Splunk](https://1112912342-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-M4QARF6s57qxMrOHDTZ%2Fuploads%2Fgit-blob-5f3a525cf8a2bfb651b5cc418583f63b2c863908%2Fproduct-documentation_integration-guides_custom-built-integrations_opentelemetry-integrations-splunk-events-search.png?alt=media\&token=45619b5d-d00f-44e0-88f3-487f81bd57fd)

![ThousandEyes metric attributes in Splunk](https://1112912342-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-M4QARF6s57qxMrOHDTZ%2Fuploads%2Fgit-blob-c1643415240ede90732bdb70369a3f32f31a5f68%2Fproduct-documentation_integration-guides_custom-built-integrations_opentelemetry-integrations-splunk-events-attributes.png?alt=media\&token=1aa0545a-0c73-467d-802e-1253fa25ef26)

![ThousandEyes log attributes in Splunk](https://1112912342-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-M4QARF6s57qxMrOHDTZ%2Fuploads%2Fgit-blob-95ee63c53b06e1bf6f91fd0dba349b9b6b8ea266%2Fsplunk-log-event-attributes.png?alt=media)

### Receiving ThousandEyes data as metrics

Search the metrics using the Query `| mcatalog values(metric_name) WHERE index=*` or the values of a metrics `| mstats avg(_value) WHERE index=* AND metric_name=network.latency span=30s`. For more information, see [Splunk: Search and monitor metrics](https://docs.splunk.com/Documentation/Splunk/9.3.0/Metrics/Search).

![Search the metrics](https://1112912342-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-M4QARF6s57qxMrOHDTZ%2Fuploads%2Fgit-blob-1020c97e3f74e00f87d845e3111186b1741cff50%2Fproduct-documentation_integration-guides_custom-built-integrations_opentelemetry-integrations-splunk-metrics-search-names.png?alt=media\&token=15eec055-8a1e-487a-8b42-8f30abf87bf6)

![ThousandEyes metric values in Splunk](https://1112912342-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-M4QARF6s57qxMrOHDTZ%2Fuploads%2Fgit-blob-3ef3a68a2fccd6f9ee327cf3b1c4838288affcc8%2Fproduct-documentation_integration-guides_custom-built-integrations_opentelemetry-integrations-splunk-metrics-search-values.png?alt=media\&token=fdf05618-ac3d-4880-89bf-b227c5354b1a)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.thousandeyes.com/product-documentation/integration-guides/opentelemetry/observability-platforms/splunk-cloud-or-enterprise.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.