• Home
  • Integrations
  • SDKs
  • Guides
  • API docs
No results for ""



Read time: 3 minutes
Last edited: May 13, 2022
The Splunk integration is a Pro and Enterprise feature

The Splunk integration is available to customers on a Pro or Enterprise plan. To learn more, read about our pricing. To upgrade your plan, contact Sales.


This topic explains how to use the LaunchDarkly Splunk integration. The Splunk integration exports LaunchDarkly audit events when a LaunchDarkly resource you care about, such as feature flags, projects, or account members, changes. You can use these events to create reports, charts, alerts and dashboards in Splunk.

This integration is for Splunk Enterprise and Splunk Cloud (self-service and managed)

Based on which type of Splunk account you have, endpoint hostnames, ports, and paths may differ from what's depicted in this topic. We indicate these differences when they occur in the text below.


To configure the integration, you must have the following prerequisites:

  • A Splunk HTTP Event Collector (HEC). To learn more, read Setting up an HTTP Event Collector in Splunk Web
  • An HEC token, which is generated during HEC setup.

Setting up an HTTP Event Collector in Splunk Web

To add LaunchDarkly events to Slack, you must configure and enable Splunk's HTTP Event Collector (HEC) in Splunk Web.

The steps to enable HEC vary based on your Splunk instance. To enable HEC, read Splunk's documentation.

Configuring LaunchDarkly to work with Splunk

To configure LaunchDarkly to start sending events to Splunk:

  1. Navigate to the Integrations page and find "Splunk."
The "Splunk" section, showing the "Add integration" button.
The "Splunk" section, showing the "Add integration" button.
  1. Click Add integration. The "Create Splunk configuration" panel appears.
The "Create Splunk configuration" panel.
The "Create Splunk configuration" panel.
  1. (Optional) Give the integration a human-readable Name.

  2. Paste the HTTP event collector URL into the HTTP event collector base URL. This URL varies based on which version of Splunk you have. To learn more about which URL format to use, read Splunk's documentation.

  3. Paste your HEC token in the Token field.

  4. If you're using Splunk Cloud, you will probably need to check the Skip certificate verification checkbox. Splunk Cloud instances are deployed with self-signed SSL certificates which prevents LaunchDarkly's integration service from reaching Splunk Cloud's HEC service.

  5. (Optional) Configure a custom policy to control which event information LaunchDarkly sends to Splunk. To learn more about this option, read Adding custom policies to the Splunk integration.

  6. After reading the Integration Terms and Conditions, check the I have read and agree to the Integration Terms and Conditions checkbox.

  7. Click Save configuration.

Splunk now receives events from LaunchDarkly.

If you want to further modify the events that Splunk receives from LaunchDarkly, add custom policies to determine which events the integration should export. If after following these steps, you still are not able to locate LaunchDarkly events, read the Troubleshooting section for further guidance.

Adding custom policies to the Splunk integration

By default, the Splunk integration sends production flag change events to Splunk. You can customize those events with the Policy editor, using the same language and construction as if you were creating a custom role.

To learn more, read Custom Roles.

You can customize the events LaunchDarkly sends to Splunk by using the policy editor in the Splunk configuration panel:

The policy editor.
The policy editor.

Accessing LaunchDarkly events in Splunk

Now that your integration is configured, you can view LaunchDarkly events in Splunk.

Access those events with the following Splunk search query:

LaunchDarkly events in Splunk
LaunchDarkly events in Splunk

After LaunchDarkly events start appearing in Splunk, you can create event annotations in your charts in order to show LaunchDarkly events in context.

To learn more, read Splunk's documentation.

LaunchDarkly events as annotations in Splunk charts
LaunchDarkly events as annotations in Splunk charts


If you configure the LaunchDarkly integration and events in Splunk do not appear, recreate the LaunchDarkly request with a curl.

Use this command to recreate the request:

curl -k \
-H "Authorization: Splunk <HTTP_EVENT_COLLECTOR_TOKEN>" \
-d '{"event": "test"}' \
  • Splunk Enterprise URLs format: <protocol>://<host>:<port>/<endpoint>.
  • Self-service Splunk Cloud URLs format: <protocol>://input-<host>:<port>/<endpoint>.
  • Managed Splunk Cloud URLs format: <protocol>://http-inputs-<host>:<port>/<endpoint>.

To learn more, read Splunk's documentation.

In Splunk, confirm that your HEC Global Settings and your specific HEC are set to 'Enabled' and that the Default Index type on your token is 'main'.

To search within Splunk for LaunchDarkly events using sourcetype="launchdarkly", set a custom sourcetype on your HEC token.

Set the Source Type as launchdarkly, set Index to main and set Status to Enabled.

An example token is below:

Example HEC configuration.
Example HEC configuration.

Demonstration video

This video presents a demonstration of the integration. To read along, enable YouTube's closed captioning feature on the video.