• SDKS
No results for ""



Read time: 2 minutes
Last edited: Jul 15, 2020


This topic explains how to use the LaunchDarkly Splunk integration. The Splunk integration exports LaunchDarkly audit events when a LaunchDarkly resource you care about, such as feature flags, projects, or team members, changes. You can use these events to create reports, charts, alerts and dashboards in Splunk.

This integration is for Splunk Enterprise and Splunk Cloud (self-service and managed)
Based on which type of Splunk account you have, endpoint hostnames, ports, and paths may differ from what's depicted in this topic. We'll indicate these differences when they occur in the text below.


To configure the integration successfully, you must have the following prerequisites:

  • A Splunk HTTP Event Collector (HEC). To learn more, read Setting up an HTTP Event Collector in Splunk Web
  • An HEC token, which is generated during HEC setup.

Setting up an HTTP Event Collector in Splunk Web

To add LaunchDarkly events to Slack, you must configure and enable Splunk's HTTP Event Collector (HEC) in Splunk Web.

The steps to enable HEC vary based on your Splunk instance. To enable HEC, read Splunk's documentation.

Configuring LaunchDarkly to work with Splunk

To configure LaunchDarkly to start sending events to Splunk:

  1. Navigate to the Integrations page and click to expand the "Splunk" card.

    Splunk integration
    Splunk integration

  2. Click + Integration. The integration configuration screen appears.

    The Splunk section of the Integrations
    The Splunk section of the Integrations page.

  3. Give the integration a human-readable Name.

  4. Paste the HTTP event collector URL into the HTTP event collector base URL. This URL varies based on which version of Splunk you have. To learn more about which URL format to use, read Splunk's documentation.

  5. Paste your HEC token in the Token field. 4. If you're using Splunk Cloud, you will probably need to check the Skip certificate verification checkbox. Splunk Cloud instances are deployed with self-signed SSL certificates which prevents LaunchDarkly's integration service from reaching Splunk Cloud's HEC service.

  6. If you do not need to further customize your Splunk integration, click Save Splunk Configuration.

That's it! Splunk now receives events from LaunchDarkly.

If you want to further modify the events that Splunk receives from LaunchDarkly, add custom policies to determine which events the integration should export. If after following these steps, you still are not able to locate LaunchDarkly events, see the Troubleshooting section for further guidance.

Adding custom policies to the Splunk integration

By default, the Splunk integration sends production flag change events to Splunk. You can customize those events with the Policy editor, using the same language and construction as if you were creating a custom role.

To learn more, read Custom Roles .

You can customize the events LaunchDarkly sends to Splunk by using the policy editor in the Splunk configuration panel:

Policy editor
Policy editor

Accessing LaunchDarkly events in Splunk

Now that your integration is configured, you can see LaunchDarkly events in Splunk.

Access those events with the following Splunk search query:


LaunchDarkly events in Splunk
LaunchDarkly events in Splunk

After LaunchDarkly events start appearing in Splunk, you can create event annotations in your charts in order to show LaunchDarkly events in context.

To learn more, read Splunk's documentation.

LaunchDarkly events as annotations in Splunk
LaunchDarkly events as annotations in Splunk charts


If you configure the LaunchDarkly integration and do not see events in Splunk, recreate the LaunchDarkly request with a curl.

Use this command to recreate the request:

1curl -k \
2 -X POST \
3 -H "Authorization: Splunk <HTTP_EVENT_COLLECTOR_TOKEN>" \
4 -d '{"event": "test"}' \
5 https://<HTTP_EVENT_COLLECTOR_BASE_URL>/services/collector/event
  • Splunk Enterprise URLs format: <protocol>://<host>:<port>/<endpoint>.
  • Self-service Splunk Cloud URLs format: <protocol>://input-<host>:<port>/<endpoint>.
  • Managed Splunk Cloud URLs format: <protocol>://http-inputs-<host>:<port>/<endpoint>.

To learn more, read Splunk's documentation.

In Splunk, confirm that your HEC Global Settings as and your specific HEC are set to 'Enabled' and that the Default Index type on your toekn is 'main'.

To search within Splunk for LaunchDarkly events using sourcetype="launchdarkly", set a custom sourcetype on your HEC token.

Set the Source Type as launchdarkly, set Index to main and set Status to Enabled.

An example token is below:

Example HEC configuration.
Example HEC configuration.

Demonstration video

This video presents a demonstration of the integration. To read along, enable YouTube's closed captioning feature on the video.