@grantex/destinations package includes a SplunkDestination that sends Grantex events to Splunk via the HTTP Event Collector (HEC). This guide covers HEC setup, configuration options, and example saved searches.
Prerequisites
- A Splunk instance (Cloud or Enterprise) with HTTP Event Collector enabled
- An HEC token with permission to write to your target index
- The
@grantex/destinationspackage installed:
Splunk HEC Setup
If you have not yet enabled HEC in your Splunk instance:- In Splunk Web, go to Settings > Data Inputs > HTTP Event Collector
- Click Global Settings and set All Tokens to Enabled
- Click New Token and follow the wizard:
- Name:
grantex - Source type:
_json - Index:
grantex(or your preferred index)
- Name:
- Copy the generated token
For Splunk Cloud, HEC is available at
https://http-inputs-<your-host>.splunkcloud.com:8088. For Splunk Enterprise, the default port is 8088.Setup
Configuration Options
How It Works
TheSplunkDestination buffers incoming events and flushes them as newline-delimited JSON to the HEC endpoint (POST /services/collector/event).
Each Grantex event is wrapped in the HEC envelope:
Filtering Event Types
To send only specific events to Splunk, filter at theEventSource level:
Field Extraction
Create a field extraction in Splunk to make Grantex event fields searchable:- Go to Settings > Fields > Field Extractions
- Create a new extraction for sourcetype
_json:
spath in your searches:
Example Saved Searches
Grant Activity Over Time
View grant creation and revocation trends:Top Agents by Token Issuance
Identify the most active agents:Grant Revocation Spike Detection
Alert when revocations spike above a baseline:- Trigger condition: Number of results > 0
- Throttle: 5 minutes
- Action: Send email or trigger a webhook
Budget Exhaustion Events
Catch budget exhaustion immediately:Scope Usage Analysis
Analyze which scopes are most frequently granted:Principal Activity Audit
Track all events for a specific user:Splunk Dashboard
Build a Grantex security dashboard with these panels:Graceful Shutdown
Ensure buffered events are flushed before your process exits:Next Steps
- Event Streaming — SSE/WebSocket architecture overview
- Datadog Integration — forward events to Datadog
- S3 & BigQuery Archival — long-term compliance storage
- Metrics & Observability — Prometheus metrics and Grafana dashboards