Log Forwarding with Splunk
This documentation describes support for log forwarding that is under active development and is available only to customers who have been individually approved as part of our Private Beta program.
To request an invite, submit this form.
Requirements
- Access granted for the Log Forwarding Private Beta Program
- A Splunk user role with the
edit_token_httpcapability granted.
Add Splunk configuration
Configure a secure HTTP Event Collector (HEC) in Splunk:
In your Splunk instance, navigate to Settings > Data Inputs > HTTP Event Collector.
Create a New Token (e.g., named
pantheon_logs).Configure the token settings, ensuring you set the appropriate Index.
Information:NotePantheon forwards logs as raw text (or JSON, depending on the internal format). Consult your Splunk administrator for the ideal Source Type setting.
Once created, copy the HEC Token (this is a GUID).
Copy the Splunk HEC Endpoint including both the hostname and port (e.g.,
https://my-splunk.com:8088).
Request Pantheon configuration
Reply to your beta program welcome email, or reach out to your Customer Success Manager (CSM), with the following information:
- Workspace UUID: Specify which workspace you want enabled.
- Splunk HEC Endpoint URL: The host and port (e.g., https://my-splunk.com:8088).
- HEC Token: The unique GUID copied in the previous section.
Test log streaming
Once Pantheon confirms that forwarding is active, use the Splunk search interface (e.g., index=<your_index> token="<HEC_token>") to verify that log events are being ingested.