Splunk's HTTP Event Collector (HEC) has become a widely adopted ingestion protocol. Many SIEM, log management, log aggregator, and observability pipeline tools support it natively, meaning they can receive data sent in the same format and with the same authentication header that Splunk uses. The Splunk Compatible integration lets you send Files.com logs to any of these platforms using the standard HEC format, without needing to build a custom HTTP payload or authentication header.

When to Use Splunk Compatible

Use the Splunk Compatible integration when your platform is not Splunk itself but explicitly supports Splunk HEC ingestion. The following are examples of platforms and pipeline tools that accept the Splunk HEC format, though other platforms may support it as well:

Cribl Stream: a log routing and processing pipeline that accepts HEC data and forwards it to downstream destinations
Vector: an open-source observability pipeline with a native Splunk HEC source
Mezmo (formerly LogDNA): a SaaS log management platform with HEC-compatible ingestion
Grafana Alloy: an observability collector with a built-in Splunk HEC receiver
OpenTelemetry Collector: supports Splunk HEC ingestion via the splunkhecreceiver component in the contrib distribution

If you are sending logs directly to Splunk Enterprise or Splunk Cloud, use the Splunk integration instead.

If your platform accepts JSON over HTTP but does not implement Splunk's HEC protocol, use the SIEM (Any Provider) connector instead. That connector gives you full control over the payload format and authentication headers.

Getting Started with Splunk Compatible Integration

Before configuring Files.com, enable HEC ingestion in your platform and generate a token for it. The steps vary by platform, so refer to your platform's documentation for instructions. You will need two values from that configuration: the HEC endpoint URL and the token.

Configuring Files.com for Splunk Compatible Integration

When configuring the Splunk Compatible integration in Files.com, provide a Name for the integration for your records. Enter the HEC endpoint URL from your platform as the Destination URL. Enter the token generated in your platform as the Splunk-Compatible Token.

Files.com sends the token in the Authorization: Splunk <token> header format, which is what platforms implementing the Splunk HEC protocol expect.

If you need to pass extra headers to your setup, configure them by entering each Header Name and Header Value in the Key and Value fields.

Verifying the Integration

After saving, confirm that logs are reaching your platform by checking its ingestion dashboard or log search. The steps vary by platform, so refer to your platform's documentation. You can also check SIEM events under External Logs to confirm that Files.com is sending logs without errors.

Choosing Log Types to Forward

You can select which types of logs are forwarded to each instance. By default, all log types are enabled, and you can customize the log types collected for different instances. See the Log Types section for the available options.

Troubleshooting

If logs are not being forwarded or received, verify that your HEC endpoint URL and token are accurate and correctly configured in Files.com as the Destination URL and Splunk-Compatible Token.

If the problem continues, check for network connectivity problems or firewall rules blocking communication between Files.com and your platform. Check SIEM events under External Logs to help identify problems in the log forwarding process. If the problem persists, refer to your platform's documentation on HEC ingestion.