Skip to main content

Overview

The Splunk destination forwards Ocean events to a Splunk HTTP Event Collector (HEC) endpoint. Events are POSTed as newline-delimited JSON in the standard HEC envelope, so they appear in Splunk indexed-time fields just like any other HEC source. For an introduction to event types, payloads, and delivery semantics, see the SIEM Forwarding Overview.

Prerequisites

Before configuring the destination in Ocean, set up the HEC endpoint in Splunk:
  • A Splunk HEC endpoint URL in the form https://<your-splunk-host>:8088/services/collector (or your platform-specific HEC URL).
  • An HEC token with permission to write to the target index.
  • (Optional) A dedicated index for Ocean events.
Splunk’s HEC must be reachable from the public internet. If your Splunk instance is private, expose the HEC endpoint via a load balancer or VPN that Ocean’s egress IPs can reach.
For full details on setting up an HEC endpoint, see Splunk’s official guide: Use the HTTP Event Collector.

Create the HEC token in Splunk

1

Open HEC settings

In Splunk, go to Settings → Data Inputs → HTTP Event Collector.
2

Enable HEC (if needed)

Click Global Settings and make sure All Tokens is set to Enabled.
3

Create a new token

Click New Token, give it a name (e.g. ocean-security), and click Next.
4

Pick indexes & sourcetype

Choose the target index (or create a new ocean index) and optionally set a sourcetype like ocean:siem. Click Review and then Submit.
5

Copy the token value

Copy the Token Value — you will paste it into the Ocean Portal in the next section. Splunk does not show this value again.

Configure the destination in Ocean

1

Open the SIEM section

In the Ocean Portal, navigate to Integrations and find the SIEM section.
2

Connect Splunk

Click Connect on the Splunk HTTP Event Collector card.
3

Fill in the basics

FieldValue
NameA friendly name for this destination (e.g. SOC Splunk Prod).
URLYour HEC endpoint, e.g. https://splunk.your-org.com:8088/services/collector.
HEC TokenPaste the token you copied from Splunk.
4

Pick events to forward

Under Events to forward, select at least one:
  • Inbound Protection — malicious cases
  • Inbound Protection — spam cases
  • AI Response — report phishing
  • AI Response — quarantine release
  • Audit Logs
5

Save

Click Create. The destination starts forwarding within a few minutes.

How events arrive in Splunk

Ocean sends events to your HEC endpoint as standard Splunk events. Each event includes:
  • The full Ocean event payload — see the event payload reference.
  • An event_id indexed field (a stable per-event ID — handy for deduplication).
  • An event_type indexed field (one of inbound_protection, report_phishing, quarantine_release, audit_log).
  • The index and sourcetype set on your HEC token in Splunk.

Search examples

These searches filter by Ocean’s event_type indexed field, so they work regardless of which index or sourcetype your HEC token uses. Replace index=ocean with the index your token writes to. Find malicious inbound emails Ocean remediated in the last 24 hours: 
index=ocean event_type="inbound_protection"
  is_remediated=true verdict="malicious"
  earliest=-24h
| table _time recipient.address sender.address subject remediation_action
Count quarantine releases by reviewer: 
index=ocean event_type="quarantine_release" action.released=true
| stats count by review_details.reviewer_name
Top phishing reporters this week: 
index=ocean event_type="report_phishing"
  earliest=-7d
| stats count by reporter.address
| sort -count

Troubleshooting

SymptomLikely causeResolution
Destination shows Authentication failedWrong HEC token, or token disabled.Regenerate the token in Splunk and update the destination.
Destination shows Endpoint unreachableHEC URL is wrong or not reachable from the public internet.Verify the URL, port, and that the HEC endpoint accepts external traffic.
Destination shows Permission deniedToken doesn’t have permission for the target index.Edit the token’s allowed indexes in Splunk.
Events arrive in the wrong indexThe HEC token’s default index is different than expected.Update the token’s index in Splunk.
No events yetFirst export is still pending.Wait a few minutes after creating the destination.
For the full event schema, see the SIEM Forwarding Overview.