Splunk HEC

Setup

1. Create an HEC token

Splunk → Settings → Data inputs → HTTP Event Collector → New Token:

Name: tappass
Source type: tappass:cef (CEF) or tappass:audit (JSON)
Index: security (or per-env)

Note the HEC token.

2. Configure TapPass

exports:
  - name: splunk-prod
    destination: splunk_hec
    format: cef  # or "json"
    batch:
      max_size: 500
      max_wait_seconds: 5
    splunk:
      url: https://splunk.example.com:8088/services/collector
      hec_token: "${SPLUNK_HEC_TOKEN}"
      sourcetype: "tappass:cef"
      index: security
      verify_tls: true

3. Validate

tappass observability test --export splunk-prod

Sends a synthetic event. If Splunk is reachable and the token is valid, it shows up with sourcetype tappass:cef within seconds.

CEF example

CEF:0|TapPass|Governance|0.5|detection.pii|PII detected|4|agent=support-bot detection=pii.email severity=warn

Splunk parses CEF natively — each KVP becomes an indexed field.

JSON example

{
  "audit_id": "ae_01JC...",
  "timestamp": "2026-04-17T10:15:03Z",
  "event_kind": "policy_block",
  "agent_id": "support-bot",
  "policy_result": { "verdict": "deny", "rule": "no_pii_to_external" },
  "severity": "warn"
}

Filtering

Send only high-severity events to Splunk to keep licence cost down:

exports:
  - name: splunk-prod
    filters:
      min_severity: warn
      event_kinds: [detection, policy_block, auth_fail, tool_call]

PII redaction

Strip PII from event bodies before shipping:

exports:
  - name: splunk-prod
    redact:
      categories: [pii.email, pii.phone, pii.financial]
      strategy: mask  # or "remove"

Troubleshooting

Symptom	Fix
401 on every send	HEC token wrong or disabled
TLS verify fails	`verify_tls: false` (dev) or trust the CA
Events missing	Index permissions — HEC token must have write on that index