# Splunk Destination ## Overview Destinations are integrations that receive alerts from rules, policies, system health notifications, and rule errors. Panther supports configuring Splunk as the destination where you will receive alerts. As a Splunk user, sending Panther alerts to Splunk allows you to leverage Panther's powerful Detections-as-Code functionality on a set of logs while keeping your existing triage, search, and remediation workflows in Splunk. It may be particularly useful to include the matching event (or first matching event, if you are using [deduplication](https://docs.panther.com/detections/rules#deduplication-of-alerts)) in your alert sent to Splunk—especially if the log on which a match was made is not also stored in Splunk. You can include the event (or a subset of it) by using the [`alert_context()` function](https://docs.panther.com/detections/rules/python#alert_context) or the [`AlertContext` key](https://docs.panther.com/detections/rules/writing-simple-detections#alertcontext) in your Python or YAML detection, respectively. ## How to set up Splunk as an alert destination To configure Splunk as an alert destination in Panther, you'll need to set up a Splunk HTTP Event Collector, get an authentication token, then set up the destination in Panther. ### Step 1: Create an HTTP Event Collector in Splunk 1. Log in to your Splunk Console. 2. Follow the [Splunk documentation to configure an HTTP Event Collector](https://docs.splunk.com/Documentation/Splunk/latest/Data/UsetheHTTPEventCollector). * Give the Event Collector a descriptive **Name**, such as `Panther Alerts`. * All other settings are optional. 3. Copy the HTTP Event Collector's **Token Value** from the final screen of the wizard. * You'll need this to configure the Panther alert destination. * If you need to reference the **Token Value** after completing the wizard, it can be found under **Settings > Data Inputs > HTTP Event Collector**. 4. Follow [Splunk's instructions to generate your HTTP Event Collector **URI**](https://docs.splunk.com/Documentation/Splunk/latest/Data/UsetheHTTPEventCollector#Send_data_to_HTTP_Event_Collector)**.** * You will need this in the next step of this process. * If you're using a *paid* edition of Splunk Cloud, this might look like:\ \&#xNAN;*.splunkcloud.com:443/services/collector/event* ### Step 2: Configure the Splunk alert destination in Panther 1. Log in to the Panther Console. 2. In the left sidebar, click **Configure > Alert Destinations**. 3. Click **+Add your first Destination**. * If you have already created Destinations, click **Create New** in the upper right side of the page to add a new Destination. 4. Click **Splunk**. 5. Fill out the form to configure the Destination: * **Display Name**: Enter a descriptive name. * **HTTP Event Collector URL**: Enter the Splunk HTTP Event Collector **URI** that you generated in the [previous step of this documentation](#step-1-create-an-http-event-collector-in-splunk). * **Auth Token:** Enter the **Token Value** from the HTTP Event Collector that you configured on Splunk. * **Severity**: Select the severity level of alerts to send to this Destination. * **Alert Types**: Select the alert types to send to this Destination. * **Log Type**: By default, we will send alerts from all log types. Specify log types here if you want to only send alerts from specific log types. * **Allow Manual Dispatch**: Set this toggle ON if you'd like to be able to [manually dispatch alerts](https://docs.panther.com/alerts#manual-alert-dispatch) to this destination.\ ![A form titled "Configure your Splunk Destination" has various fields, including Display Name, HTTP Event Collector URL, and Auth Token.](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-9633f2cea0a70401e8d7e91b4e236dce5e44ead3%2FSplunk%20Alert%20Destination%20Form?alt=media) 6. Click **Add Destination**. 7. On the final page, optionally click **Send Test Alert** to test the integration. When you are finished, click **Finish Setup**. ## Additional Information on Destinations For more information on alert routing order, modifying or deleting destinations, and workflow automation, please see the Panther docs: [Destinations](https://docs.panther.com/alerts/destinations).