Skip to main content
The @grantex/destinations package includes a SplunkDestination that sends Grantex events to Splunk via the HTTP Event Collector (HEC). This guide covers HEC setup, configuration options, and example saved searches.

Prerequisites

  • A Splunk instance (Cloud or Enterprise) with HTTP Event Collector enabled
  • An HEC token with permission to write to your target index
  • The @grantex/destinations package installed:

Splunk HEC Setup

If you have not yet enabled HEC in your Splunk instance:
  1. In Splunk Web, go to Settings > Data Inputs > HTTP Event Collector
  2. Click Global Settings and set All Tokens to Enabled
  3. Click New Token and follow the wizard:
    • Name: grantex
    • Source type: _json
    • Index: grantex (or your preferred index)
  4. Copy the generated token
For Splunk Cloud, HEC is available at https://http-inputs-<your-host>.splunkcloud.com:8088. For Splunk Enterprise, the default port is 8088.

Setup

Configuration Options

How It Works

The SplunkDestination buffers incoming events and flushes them as newline-delimited JSON to the HEC endpoint (POST /services/collector/event). Each Grantex event is wrapped in the HEC envelope:
Multiple events are sent in a single request as newline-delimited JSON for efficiency.

Filtering Event Types

To send only specific events to Splunk, filter at the EventSource level:

Field Extraction

Create a field extraction in Splunk to make Grantex event fields searchable:
  1. Go to Settings > Fields > Field Extractions
  2. Create a new extraction for sourcetype _json:
Or use spath in your searches:

Example Saved Searches

Grant Activity Over Time

View grant creation and revocation trends:

Top Agents by Token Issuance

Identify the most active agents:

Grant Revocation Spike Detection

Alert when revocations spike above a baseline:
Save this as an alert with:
  • Trigger condition: Number of results > 0
  • Throttle: 5 minutes
  • Action: Send email or trigger a webhook

Budget Exhaustion Events

Catch budget exhaustion immediately:

Scope Usage Analysis

Analyze which scopes are most frequently granted:

Principal Activity Audit

Track all events for a specific user:

Splunk Dashboard

Build a Grantex security dashboard with these panels:

Graceful Shutdown

Ensure buffered events are flushed before your process exits:

Next Steps

Last modified on March 1, 2026