13.2. Splunk#
Ship FlareInspect findings to Splunk via the HTTP Event Collector
(HEC). Events use a CIM-aligned envelope; the bundled
Technology Add-on (TA-flareinspect) extracts them into the
cloudflare:flareinspect:finding sourcetype and aliases the fields
to the standard vulnerability.* namespace.
13.2.1. Wire protocol#
The live shipper posts to
POST {hecUrl}/services/collector/event with
Authorization: Splunk <token>. The body is one JSON envelope per
line (application/json). Per-event errors are accumulated
rather than thrown — a single 4xx doesn’t abort the rest of the
batch.
13.2.2. Event shape#
{
"time": 1748604896.789,
"host": "flareinspect",
"source": "flareinspect",
"sourcetype": "cloudflare:flareinspect:finding",
"index": "main",
"event": {
"vulnerability": {
"id": "CFL-INSIGHT-005::x.test::a.x.test",
"classification": "EXPOSURE",
"severity": "high",
"score": { "base": 7.5 }
},
"event": {
"kind": "alert",
"category": ["vulnerability"],
"type": ["finding"],
"module": "flareinspect",
"severity_name": "high",
"dataset": "flareinspect.findings"
},
"host": { "name": "x.test" },
"url": { "full": "https://x.test/" },
"cloud": { "account": { "id": "acct-1", "name": "Acme" } },
"status": "failed",
"remediable": true,
"flareinspect": {
"assessment_id": "ast-2026-05-30-...",
"node": { "id": "dns:z1:r1", "type": "dns_record" },
"attack_path_ids": ["ap:exposed-origin:dns:z1:r1"],
"remediable": true,
"rule_kind": "exposed-origin"
},
"threat": {
"enrichments": [
{ "indicator": { "type": "attack-path" },
"attack_path": {
"id": "ap:exposed-origin:dns:z1:r1",
"kind": "exposed-origin",
"severity": "high",
"hop_count": 2,
"entry_node_id": "internet",
"target_node_id": "origin:203.0.113.1",
"nodes": ["internet", "dns:z1:r1", "origin:203.0.113.1"],
"explanation": "DNS record a.x.test (A) is not proxied and resolves to 203.0.113.1 — origin is directly reachable from the Internet."
}
}
]
}
}
}
13.2.3. CLI#
# Dry-run
flareinspect ship -i assessment.json --target splunk \
--hec-url https://splunk.example.com:8088 \
--hec-token $HEC_TOKEN --dry-run
# Live ship
flareinspect ship -i assessment.json --target splunk \
--hec-url https://splunk.example.com:8088 \
--hec-token $HEC_TOKEN
# Override the default 'main' index
flareinspect ship -i assessment.json --target splunk \
--hec-url ... --hec-token ... --splunk-index flare
See ship Command for the full flag table and env-var fallbacks.
13.2.4. Web API#
curl -X POST http://localhost:3000/api/integrations/ship \
-H "X-API-Key: $FLAREINSPECT_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"target": "splunk",
"hecUrl": "https://splunk.example.com:8088",
"hecToken": "...",
"assessment": { ... }
}'
The response body includes ok, count, sent (number of
events actually accepted by HEC), and the upstream Splunk
ackId.
13.2.5. Packaged Technology Add-on (TA)#
integrations/splunk/TA-flareinspect/ is a minimal Splunk TA that:
Declares the
cloudflare:flareinspect:findingsourcetype and extracts it viaKV_MODE = json.Defines field renames (
transforms.conf) so the JSON envelope fields land on the standardvulnerability.*namespace (CIM-aligned).Ships 2 saved searches (FlareInspect — critical open and FlareInspect — high attack paths).
Ships 1 SimpleXML dashboard (FlareInspect overview) with a severity bar, a top-attack-paths pie, and a recent-findings table.
Install:
cp -R integrations/splunk/TA-flareinspect $SPLUNK_HOME/etc/apps/
# …or package and install via the Splunk UI / deployer
HEC configuration (Splunk UI):
Settings → Data → HTTP Event Collector → New Token
Index:
main(or the index you’ll use)Source type override:
cloudflare:flareinspect:findingDefault index:
main(or override per ship with--splunk-index)
13.2.6. Next steps#
Elasticsearch — the Elasticsearch equivalent
ship Command — the
shipCLI referenceintegrations/splunk/README.md— the integration’s own README