TheDocumentation Index
Fetch the complete documentation index at: https://docs.grantex.dev/llms.txt
Use this file to discover all available pages before exploring further.
@grantex/destinations package includes a SplunkDestination that sends Grantex events to Splunk via the HTTP Event Collector (HEC). This guide covers HEC setup, configuration options, and example saved searches.
Prerequisites
- A Splunk instance (Cloud or Enterprise) with HTTP Event Collector enabled
- An HEC token with permission to write to your target index
- The
@grantex/destinationspackage installed:
Splunk HEC Setup
If you have not yet enabled HEC in your Splunk instance:- In Splunk Web, go to Settings > Data Inputs > HTTP Event Collector
- Click Global Settings and set All Tokens to Enabled
- Click New Token and follow the wizard:
- Name:
grantex - Source type:
_json - Index:
grantex(or your preferred index)
- Name:
- Copy the generated token
For Splunk Cloud, HEC is available at
https://http-inputs-<your-host>.splunkcloud.com:8088. For Splunk Enterprise, the default port is 8088.Setup
Configuration Options
| Option | Type | Default | Description |
|---|---|---|---|
hecUrl | string | required | Splunk HEC URL (e.g., https://splunk.example.com:8088) |
hecToken | string | required | HEC authentication token |
index | string | main | Splunk index to write events to |
source | string | grantex | Source field for ingested events |
sourcetype | string | _json | Sourcetype for ingested events |
batchSize | number | 100 | Number of events to buffer before flushing |
flushIntervalMs | number | — | Flush buffered events on a timer (milliseconds) |
How It Works
TheSplunkDestination buffers incoming events and flushes them as newline-delimited JSON to the HEC endpoint (POST /services/collector/event).
Each Grantex event is wrapped in the HEC envelope:
Filtering Event Types
To send only specific events to Splunk, filter at theEventSource level:
Field Extraction
Create a field extraction in Splunk to make Grantex event fields searchable:- Go to Settings > Fields > Field Extractions
- Create a new extraction for sourcetype
_json:
spath in your searches:
Example Saved Searches
Grant Activity Over Time
View grant creation and revocation trends:Top Agents by Token Issuance
Identify the most active agents:Grant Revocation Spike Detection
Alert when revocations spike above a baseline:- Trigger condition: Number of results > 0
- Throttle: 5 minutes
- Action: Send email or trigger a webhook
Budget Exhaustion Events
Catch budget exhaustion immediately:Scope Usage Analysis
Analyze which scopes are most frequently granted:Principal Activity Audit
Track all events for a specific user:Splunk Dashboard
Build a Grantex security dashboard with these panels:| Panel | Search | Visualization |
|---|---|---|
| Event volume | index=grantex | timechart span=1h count | Area chart |
| Events by type | index=grantex | spath output=event_type path=event.type | stats count by event_type | Pie chart |
| Revocations | index=grantex | spath output=event_type path=event.type | where event_type="grant.revoked" | timechart span=5m count | Line chart |
| Budget alerts | index=grantex | spath output=event_type path=event.type | where event_type="budget.*" | Events list |
| Top 10 agents | index=grantex | spath output=agent_id path=event.data.agentId | stats count by agent_id | sort -count | head 10 | Bar chart |
Graceful Shutdown
Ensure buffered events are flushed before your process exits:Next Steps
- Event Streaming — SSE/WebSocket architecture overview
- Datadog Integration — forward events to Datadog
- S3 & BigQuery Archival — long-term compliance storage
- Metrics & Observability — Prometheus metrics and Grafana dashboards