Docs / splunk-hec-integration

Splunk HEC integration

← All docs

Forward Penaxtra findings and audit events to Splunk via the HTTP Event Collector. Events arrive pre-mapped to compliance framework identifiers so dashboards and alerts can pivot on OWASP_LLM01, EU_AI_ACT_Art15, etc.

Configure the forwarder

  1. In Splunk, Settings → Data inputs → HTTP Event Collector → New Token. Capture the token.
  2. In Penaxtra, Integrations → Splunk HEC → New target. Paste:

- HEC URL, e.g. https://splunk.example.com:8088/services/collector - HEC token - Source type: penaxtra:finding (recommended) - Index: leave default or pick a dedicated index for AI security data

  1. Click Test connection. A successful test fires a synthetic event with source=penaxtra-test.

Event format

Each finding becomes a single HEC event:

{
  "time": 1747800000,
  "host": "penaxtra-platform",
  "source": "penaxtra-findings",
  "sourcetype": "penaxtra:finding",
  "event": {
    "finding_id": "fnd_2026_xxxxxx",
    "scan_id": "scan_2026_xyz789",
    "endpoint_id": "ep_2026_abc123",
    "severity": "high",
    "title": "Indirect prompt injection via RAG corpus",
    "probe_id": "rag_indirect_v2",
    "framework_refs": [
      "OWASP_LLM01",
      "OWASP_LLM06",
      "MITRE_ATLAS_AML_T0051",
      "EU_AI_ACT_Art15"
    ],
    "discovered_at": "2026-05-22T10:24:01Z",
    "tenant_id": "<tenant uuid>",
    "url": "https://penaxtra.com/app/findings/fnd_2026_xxxxxx"
  }
}

Suggested SPL queries

| index=penaxtra sourcetype="penaxtra:finding"
| stats count by severity, framework_refs{}
| sort -count
| index=penaxtra sourcetype="penaxtra:finding" severity=critical
| where _time > relative_time(now(), "-7d@d")
| table _time endpoint_id title framework_refs{} url

Common errors

CodeMeaningFix
401 from HECToken rejectedVerify the token + index permission grant
400 invalid_eventBody did not parse as JSONCheck the HEC raw vs services/collector endpoint
Connection timeoutSplunk unreachable from PenaxtraConfirm firewall allows the platform egress IP range; consider a self-hosted Penaxtra event forwarder relay

Security notes

  • The HEC token is sealed-box encrypted at rest in Penaxtra; cleartext is never logged.
  • Penaxtra retries failed deliveries with exponential backoff up to seven attempts.
  • Event payload does NOT include raw prompts or completions; only finding metadata and the redacted excerpt that already lives on the finding record.

Related

Last reviewed: 2026-06-13. Reviewed by: Engineering. Content type: Developer documentation. Reach the maintainers: [email protected] .