Skip to main content
This guide walks you through connecting Splunk to Clarion using the HTTP Event Collector (HEC). Once connected, Clarion agents can forward the alert they are triaging — its details plus the original payload Clarion ingested — to Splunk as an event, so your alerts and investigations land in your SIEM alongside the rest of your data.
Estimated time: 5 minutes. You will need access to Splunk → Settings → Data Inputs → HTTP Event Collector and the ability to create a token.

Prerequisites

  • A Splunk deployment (Splunk Cloud or Splunk Enterprise) with the HTTP Event Collector enabled
  • Permission to create an HEC token
  • Your HEC endpoint URL, including the port (Splunk Cloud and most self-hosted deployments use 8088)
  • The HEC endpoint must be reachable from Clarion’s servers
  • A Clarion workspace with the Splunk integration page open

Step 1 — Create an HEC token in Splunk

  1. Sign in to Splunk.
  2. Go to Settings → Data Inputs → HTTP Event Collector.
  3. Confirm the collector is enabled under Global Settings (toggle All Tokens to Enabled). Note the HTTP Port Number (default 8088).
  4. Click New Token.
  5. Give the token a name (for example, Clarion Integration) and complete the wizard. You can optionally set a default index, source, and sourcetype.
  6. Copy the generated token value.
Treat the HEC token like a password. Anyone with the token and endpoint can send events into your Splunk indexes.

Step 2 — Find your HEC URL

The HEC endpoint depends on your Splunk deployment. Your stack’s web URL is not the HEC endpoint.
DeploymentHEC URLPort
Splunk Cloud (production)https://http-inputs-<stack>.splunkcloud.com443 (default)
Splunk Cloud on GCP/Azurehttps://http-inputs.<stack>.splunkcloud.com443 (default)
Splunk Cloud free trialhttps://<stack>.splunkcloud.com8088
Self-hosted Splunk Enterprisehttps://<your-splunk-host>8088
<stack> is the identifier in your Splunk Cloud URL (e.g. prd-p-abc12 in prd-p-abc12.splunkcloud.com). Note the required http-inputs- prefix for production Cloud stacks.
Splunk Cloud free-trial stacks (and many on-prem deployments) present a self-signed certificate. For those, enable Allow self-signed certificate on the configuration form (see Step 3). Production Cloud stacks have valid certificates — leave it off.

Step 3 — Enter credentials in Clarion

  1. In Clarion, open Integrations and find Splunk under Security & Monitoring.
  2. Enter your HEC URL from the table above. The https:// scheme is optional (Clarion adds it), and you don’t need the /services/collector path — Clarion appends it. Include :8088 only for trial/self-hosted stacks.
  3. Paste the HEC token from Step 1.
  4. Optionally set a default index, source, and sourcetype. Leave these blank to use the defaults configured on the token.
  5. If your stack serves a self-signed cert (trial / on-prem), enable Allow self-signed certificate.
  6. Click Connect.
Clarion validates the endpoint and token by sending a single test event before saving. If the endpoint is unreachable or the token is rejected, you’ll see a clear error and nothing is persisted.

Step 4 — Verify events reached Splunk

Because Connect sends one test event, you can confirm data is landing right away.
  1. In Splunk, open Search & Reporting.
  2. Search the last 15 minutes for the test event: 
    index=* "Clarion Splunk HEC connection test"
    If you set a default index on the integration, scope to it (e.g. index=security ...). Otherwise events land in the index bound to your HEC token — use index=* if you’re unsure which.
  3. One matching event (with forwarded_by=clarion) confirms the endpoint, token, and index are all working.
To verify agent-forwarded alerts later, search for the events Clarion sends during triage: 
index=* forwarded_by=clarion
Each event is JSON, so Splunk auto-extracts fields you can filter and report on:
FieldExampleMeaning
forwarded_byclarionMarks events Clarion sent
subject_kindalert / issueWhat was forwarded
subject.referenceALR-1423Clarion alert/issue reference
subject.severityhighSeverity at forward time
subject.urlhttps://app.clarion.com/<ws>/alerts/1423Link back to Clarion
triage_summaryConfirmed benign…The agent’s note, when provided
original_payload.*The untouched payload Clarion ingested
To find one specific alert, search by its reference — for example index=* "ALR-1423". If you set a sourcetype (e.g. clarion:alert), sourcetype="clarion:alert" also scopes to Clarion’s events.

What agents can do

Once connected, agents on this workspace gain access to the /splunk action. When an agent uses it during triage, Clarion forwards a single event to your HEC endpoint containing:
  • Alert details — number, title, description, severity, status, source, disposition, and a link back to the alert in Clarion
  • The original payload — the untouched event Clarion ingested for the alert
  • The agent’s triage summary — an optional note the agent attaches describing its findings
The agent can override the destination index, source, or sourcetype per event; otherwise the defaults you configured are used. The event is sent to your collector’s /services/collector/event endpoint. To make an agent forward alerts, add the Splunk action to a skill the agent runs (for example, a skill that forwards every confirmed incident to your SIEM).

Disconnect

To remove the integration:
  1. In Clarion, open Integrations → Splunk.
  2. Click Disconnect.
This deletes the stored HEC URL and token. Agents on this workspace will no longer see the /splunk action, and any saved skills that reference it will surface the integration as missing until you reconnect.

Troubleshooting

”Splunk rejected the HEC token”

The token is disabled or incorrect. In Settings → Data Inputs → HTTP Event Collector, confirm the token is Enabled, that All Tokens is enabled under Global Settings, and that you copied the full token value.

”Splunk returned 404 — that URL isn’t an HEC collector”

You’re pointing at the wrong host — most often the stack’s web UI instead of HEC. Use the HEC URL from the table in Step 2 (for production Splunk Cloud, the https://http-inputs-<stack>.splunkcloud.com form), and confirm HEC is enabled (Global Settings → All Tokens → Enabled). Clarion appends /services/collector/event, so enter only the base URL.

”Self-signed certificate” / TLS errors

Your stack presents a certificate Clarion doesn’t trust — common on Splunk Cloud free-trial stacks and on-prem deployments. Enable Allow self-signed certificate on the configuration form. Leave it off for production Cloud stacks (which have valid certificates).

”Failed to reach the Splunk HEC endpoint”

The endpoint isn’t reachable from Clarion’s servers. If your collector is on a private network, expose it (or its HEC port) so Clarion can deliver events, then reconnect.