Important: Before proceeding, please ensure you have followed One User One Account instructions HERE. This ensures you do not experience any authentication conflicts.
Splunk is a robust data platform enabling organizations to capture, structure, and analyze machine data instantly. Turning raw information into valuable insights helps businesses proactively monitor operations, identify problems swiftly, and achieve greater operational awareness.
Splunk HTTP Event Collector
Splunk's primary data ingestion API is the HTTP Event Collector (HEC). It efficiently receives real-time data like logs, events, and metrics from external systems using HTTP/HTTPS.
Key Features:
Highly scalable: Efficiently ingests large volumes of data.
Real-time data ingestion: Transmits data to Splunk for immediate indexing.
Data format support: Accepts JSON and plain text data.
Secure authentication: Uses token-based authentication for secure data transmission.
Splunk Connector
The Splunk connector facilitates seamless communication between the Workforce Experience Platform (WXP) and the customer's Splunk instance. It sends key event data, including logs, performance metrics, and security alerts, directly from the Workforce Experience Platform to Splunk in near real time. This connector ensures the secure capture and efficient indexing of critical data within the customer's Splunk environment. This integration enables centralized monitoring, real-time alerting, and detailed data analytics, empowering customers to identify trends and troubleshoot issues effectively.
This article provides a step-by-step guide to:
Set up a Splunk Account and Activate HEC
Activate Splunk Connector
Splunk Data Connection and Refresh Schedule
Set up a Splunk Account and Activate HEC
Prerequisites
Ensure you have followed One User One Account instructions HERE.
The WXP user must have the Connector Admin role assigned to access and use integrations and connectors within the WXP platform.
For information related to Role-Based Access Control (RBAC), refer to the Authentication section.
Ensure that your Splunk instance is active and accessible.
Splunk Account and HEC Activation
Create a Splunk Account.
In your Splunk dashboard, go to Settings > Data Inputs > HTTP Event Collector.
Note: The HTTP Event Collector (HEC) is enabled by default on Splunk Cloud Platform.
3. From the HTTP Event collector page, click New Token. A new token for API integration is created.
Note: Make a note of the HEC endpoint URL (e.g., https://<splunk-server>:8088/services/collector ).
.png?sv=2022-11-02&spr=https&st=2025-12-22T06%3A51%3A33Z&se=2025-12-22T07%3A04%3A33Z&sr=c&sp=r&sig=%2FlTsXUIcs%2FvMcNbHkdn3cW0o9CJ%2B0AiLjN%2FI5QO5PgM%3D)
Activate Splunk Connector
Log in to the WXP. The Home page is displayed.
In the left menu of the WXP, click Integrations. The Integration page is displayed.
Under Splunk card, click Configure.
.png?sv=2022-11-02&spr=https&st=2025-12-22T06%3A51%3A33Z&se=2025-12-22T07%3A04%3A33Z&sr=c&sp=r&sig=%2FlTsXUIcs%2FvMcNbHkdn3cW0o9CJ%2B0AiLjN%2FI5QO5PgM%3D)
Select the checkbox to generate the required reports. Click Save.
.png?sv=2022-11-02&spr=https&st=2025-12-22T06%3A51%3A33Z&se=2025-12-22T07%3A04%3A33Z&sr=c&sp=r&sig=%2FlTsXUIcs%2FvMcNbHkdn3cW0o9CJ%2B0AiLjN%2FI5QO5PgM%3D)
In the Splunk card, click Connect. In the dialog box, read the instructions for authorizing HP. Click Next.
.png?sv=2022-11-02&spr=https&st=2025-12-22T06%3A51%3A33Z&se=2025-12-22T07%3A04%3A33Z&sr=c&sp=r&sig=%2FlTsXUIcs%2FvMcNbHkdn3cW0o9CJ%2B0AiLjN%2FI5QO5PgM%3D)
The Splunk activator window is displayed.
Enter the following details in the Splunk activator window to activate.
- Host URL: Example is prd-pi86na.splunkcloud.com:8088.
- HEC Token: Obtained from your Splunk instance.
- Index: Specifies which Splunk Index the data should be stored in; if left empty, defaults to the ‘main’ index.
.png?sv=2022-11-02&spr=https&st=2025-12-22T06%3A51%3A33Z&se=2025-12-22T07%3A04%3A33Z&sr=c&sp=r&sig=%2FlTsXUIcs%2FvMcNbHkdn3cW0o9CJ%2B0AiLjN%2FI5QO5PgM%3D)
Click Connect. Once connected, WXP data in your Splunk instance is available after five minutes.
Splunk Data Connection and Refresh Schedule
Estimated time for initial data pull: Maximum 10 minutes.
Data refresh frequency: Every 24 hours from connection time.
Troubleshooting Tips
1. No Data Visible in Splunk
Cause: Data may not be visible because a user may have access to multiple accounts, which results in a tenant ID mismatch.
Solution: Follow the following steps:
1. Verify WXP Portal Account Access
Check in the WXP portal if your email is associated with more than one account or tenant. If so, there is a possibility of an authentication conflict, as the system may have authorized against an unintended account.
(1).png?sv=2022-11-02&spr=https&st=2025-12-22T06%3A51%3A33Z&se=2025-12-22T07%3A04%3A33Z&sr=c&sp=r&sig=%2FlTsXUIcs%2FvMcNbHkdn3cW0o9CJ%2B0AiLjN%2FI5QO5PgM%3D)
(1).png?sv=2022-11-02&spr=https&st=2025-12-22T06%3A51%3A33Z&se=2025-12-22T07%3A04%3A33Z&sr=c&sp=r&sig=%2FlTsXUIcs%2FvMcNbHkdn3cW0o9CJ%2B0AiLjN%2FI5QO5PgM%3D)
2. Reauthorize the Connector with a Single-Account Email (IT Admin role)
Navigate to the Connector in WXP portal
Note: If the connector is already connected, the Authorize step may not be visible In this case, disconnect the connector first to make the Authorize option visible again.
Click the link next to Authorize step and reauthorize using an email that has access to only one WXP account/tenant to avoid cross-tenant conflicts.
.png?sv=2022-11-02&spr=https&st=2025-12-22T06%3A51%3A33Z&se=2025-12-22T07%3A04%3A33Z&sr=c&sp=r&sig=%2FlTsXUIcs%2FvMcNbHkdn3cW0o9CJ%2B0AiLjN%2FI5QO5PgM%3D)
3. Reconnect the Connector
After successful reauthorization, reconnect the connector with Connector Admin role to re-establish proper access.
4. Verify Data Visibility
Once the connector is properly connected, the user should be able to view the data as expected.
Contact Us
For any assistance, [create a support case] or email support@wxp.hp.com.