> ## Documentation Index
> Fetch the complete documentation index at: https://docs.keephq.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# Splunk

> Splunk provider allows you to get Splunk `saved searches` via webhook installation

## Authentication

This provider requires authentication.

* **api\_key**: Splunk API Key (required: True, sensitive: True)
* **host**: Splunk Host (default is localhost) (required: False, sensitive: False)
* **port**: Splunk Port (default is 8089) (required: False, sensitive: False)
* **verify**: Enable SSL verification (required: False, sensitive: False)
* **username**: The username connected with the API key/token provided. (required: False, sensitive: False)

Certain scopes may be required to perform specific actions or queries via the provider. Below is a summary of relevant scopes and their use cases:

* **list\_all\_objects**: The user can get all the alerts (mandatory)
* **edit\_own\_objects**: The user can edit and add webhook to saved\_searches (mandatory)

## In workflows

This provider can't be used as a "step" or "action" in workflows. If you want to use it, please let us know by creating an issue in the [GitHub repository](https://github.com/keephq/keep/issues).

## Connecting with the Provider

Obtain Splunk API Token:

1. Ensure you have a Splunk account with the necessary [permissions](https://docs.splunk.com/Documentation/Splunk/9.2.0/Security/Rolesandcapabilities). The basic permissions required are `list_all_objects` & `edit_own_objects`.
2. Get an API token for authenticating API requests. [Read More](https://docs.splunk.com/Documentation/Splunk/9.2.0/Security/Setupauthenticationwithtokens) on how to set up and get API Keys.

Identify Your Splunk Instance Details:

1. Determine the Host (IP address or hostname) and Port (default is 8089 for Splunk's management API) of the Splunk instance you wish to connect to.

***

**NOTE**
Make sure to follow this [Guide](https://docs.splunk.com/Documentation/Splunk/9.2.0/Alert/ConfigureWebhookAllowList) to configure your webhook allow list to allow your `keep` deployment.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

## Useful Links

* [Splunk Python SDK](https://dev.splunk.com/view/python-sdk/SP-CAAAEBB)
* [Splunk Webhook](https://docs.splunk.com/Documentation/Splunk/9.2.0/Alert/Webhooks)
* [Splunk Webhook Allow List](https://docs.splunk.com/Documentation/Splunk/9.2.0/Alert/ConfigureWebhookAllowList)
* [Splunk Permissions and Roles](https://docs.splunk.com/Documentation/Splunk/9.2.0/Security/Rolesandcapabilities)
* [Splunk API tokens](https://docs.splunk.com/Documentation/Splunk/9.2.0/Security/Setupauthenticationwithtokens)