Skip to main content

Splunk -User Guide

In this article, you will understand step by step how to easily integrate Scytale with Splunk

Splunk is a data analytics and observability platform that enables organizations to search, monitor, and analyze machine data for security, IT operations, and business insights.

Required Permissions

  • Create a dedicated Scytale service role with the minimum required permissions by following the steps below, or use an existing user with sc_admin privileges.

Scytale follows the least-privilege principle, limiting permission scopes strictly to what's required for audit evidence collection.

How to Connect

  1. In Scytale, go to 'Integrations'.

  2. Search for Splunk and select 'Connect'.

  3. Paste your Bearer token & Token for the Service Account key.

  4. Add Scytale's IP to the Search Head API Allow List.

  5. Add a connection name — this will be used to differentiate between your connections — and then select 'Connect'.

You have now successfully connected to Splunk.

How to Generate a Bearer Token in Splunk

  1. In your Splunk Cloud dashboard, go to Settings → Tokens

  2. If Token Authentication is not enabled, click Enable Token Authentication

  3. Click New Token, enter a username and an audience value, then click Create

  4. Copy the token immediately — it is only shown once

How to get the instance URL

  1. The instance URL is derived from your Splunk Cloud dashboard URL. It typically follows the format.

https://<host-name>.splunkcloud.com


The <host-name>.splunkcloud.com portion is what you need.

How to check the port:

  1. Splunk's REST API runs on the splunkd management port, which is 8089 by default.

Add Scytale's IP to the Search Head API Allow List

To allow Scytale to interact with your Splunk Cloud environment, you must add Scytale's outbound IP CIDR to the Search Head API Allow List. Port 8089 is not exposed to any subnet by default on Splunk Cloud.

To configure the allow list:

  1. Navigate to Settings → Server Settings

  2. Select IP Allow List

  3. Click the Search Head API access tab

  4. Click + Add IP subnet, enter Scytale's outbound IP CIDR, and click Save

If the IP Allow List option is not visible in the UI, submit a support case to Splunk Support requesting that port 8089 be opened, specifying Scytale's outbound IP CIDR.

API usage

  • Base URL: https://<instance-host>:8089

  • All requests must be made over HTTPS on the splunkd management port (8089)

  • Auth header on every request: Authorization: Bearer <token>

  • Scytale's outbound IP address added to the Search Head API Allow List

How to Create a Service Account Role and User in Splunk

Follow these steps to create a dedicated Scytale service account with the minimum required permissions.

Step 1 — Create the Role

  1. Go to Settings → Roles

  2. Click New Role

  3. Set Role name to scytale_serviceaccount

  4. Go to the Inheritance tab and add:
    ess_analyst

    mc_analyst

    ess_user

  5. Go to the Capabilities tab and enable:
    rest_access_server_endpoints

    list_settings

    admin_all_objects

    change_authentication

    edit_user

    list_all_objects

    list_all_roles

    list_all_users

  6. Click Save

Step 2 — Create the User

  1. Go to Settings → Users

  2. Click New User

  3. Fill in:
    Username: scytale_service

    Full Name: Scytale Integration

    Password: a strong password

  4. Under Assign Roles, add scytale_integration

  5. ⚠️ Make sure to select user role (on the right side) — it needs to be selected in order to switch the role with your custom one

  6. Click Save

Step 3 — Create a Token for the Service Account

  1. Go to Settings → Tokens

  2. Click New Token

  3. Set User to scytale_service

  4. Set Audience to scytale

  5. Set Expiration as needed

  6. Click Create and copy the token immediately — shown only once

Related Articles
GCP Resource Manager - User Guide
Bitbucket - User Guide
Jira Ticketing - User Guide
Anthropic - User Guide
Semgrep - User Guide
Did this answer your question?