Read time: 2 minutes
Last edited: Feb 27, 2020
This topic explains how to use the LaunchDarkly Splunk integation. The Splunk integration exports LaunchDarkly audit events when a LaunchDarkly resource you care about, such as feature flags, projects, or team members, changes. You can use these events to create reports, charts, alerts and dashboards in Splunk.
To configure the integration successfully, you must have the following prerequisites:
- A Splunk HTTP Event Collector (HEC). To learn more, read Setting up an HTTP Event Collector in Splunk Web
- An HEC token, which is generated during HEC setup.
To add LaunchDarkly events to Slack, you must configure and enable Splunk's HTTP Event Collector (HEC) in Splunk Web.
The steps to enable HEC vary based on your Splunk instance. To enable HEC, read Splunk's documentation.
To configure LaunchDarkly to start sending events to Splunk:
Navigate to the Integrations page and click to expand the "Splunk" card.
Click + Integration. The integration configuration screen appears.
Give the integration a human-readable Name.
Paste the HTTP event collector URL into the HTTP event collector base URL. This URL varies based on which version of Splunk you have. To learn more about which URL format to use, read Splunk's documentation.
Paste your HEC token in the Token field. 4. If you're using Splunk Cloud, you will probably need to check the Skip certificate verification checkbox. Splunk Cloud instances are deployed with self-signed SSL certificates which prevents LaunchDarkly's integration service from reaching Splunk Cloud's HEC service.
If you do not need to further customize your Splunk integration, click Save Splunk Configuration.
That's it! Splunk now receives events from LaunchDarkly.
If you want to further modify the events that Splunk receives from LaunchDarkly, add custom policies to determine which events the integration should export.
By default, the Splunk integration sends production flag change events to Splunk. You can customize those events with the Policy editor, using the same language and construction as if you were creating a custom role.
To learn more, read Custom Roles .
You can customize the events LaunchDarkly sends to Splunk by using the policy editor in the Splunk configuration panel:
Now that your integration is configured, you can see LaunchDarkly events in Splunk.
Access those events with the following Splunk search query:
After LaunchDarkly events start appearing in Splunk, you can create event annotations in your charts in order to show LaunchDarkly events in context. To learn more, read Splunk's documentation.