From 562629b59b07aafffba8570648a1b9504c312ece Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E1=B4=84=CA=9C=CA=80=C9=AAs=E1=B4=9B=E1=B4=8F=E1=B4=98?=
 =?UTF-8?q?=CA=9C=E1=B4=87=CA=80=20=E1=B4=8D?= <im@dyi.ng>
Date: Thu, 19 Jun 2025 00:05:22 -0400
Subject: [PATCH 1/2] Update splunk.mdx

---
 .../get-started/enable-destinations/splunk.mdx   | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/src/content/docs/logs/get-started/enable-destinations/splunk.mdx b/src/content/docs/logs/get-started/enable-destinations/splunk.mdx
index dc3023f416149db..3908802b60a8c0e 100644
--- a/src/content/docs/logs/get-started/enable-destinations/splunk.mdx
+++ b/src/content/docs/logs/get-started/enable-destinations/splunk.mdx
@@ -10,7 +10,7 @@ head:
 
 import { Render } from "~/components";
 
-Cloudflare Logpush supports pushing logs directly to Splunk via the Cloudflare dashboard or via API.
+The [HTTP Event Collector (HEC)](https://dev.splunk.com/enterprise/docs/devtools/httpeventcollector/) is a reliable method to receive data from Splunk Enterprise or Splunk Cloud Platform. Cloudflare Logpush supports pushing logs directly to Splunk HEC via the Cloudflare dashboard or API.
 
 ## Manage via the Cloudflare dashboard
 
@@ -19,13 +19,13 @@ Cloudflare Logpush supports pushing logs directly to Splunk via the Cloudflare d
 5. In **Select a destination**, choose **Splunk**.
 
 6. Enter or select the following destination information:
-   - **Splunk raw HTTP Event Collector URL**
-   - **Channel ID** - This is a random GUID that you can generate using [guidgenerator.com](http://guidgenerator.com/).
-   - **Auth Token**
+   - **Splunk HEC URL**
+   - **Channel ID** - This is a random GUID that you can generate using [guidgenerator.com](https://guidgenerator.com/).
+   - **Auth Token** - Event Collector token.
    - **Source Type** - For example, `cloudflare:json`. If you are using the [Cloudflare App for Splunk](https://splunkbase.splunk.com/app/4501), refer to the appropriate source type for the corresponding datasets under the **Details** section. For instance, for Zero Trust Access requests logs, the source type is `cloudflare:access`.
    - **Use insecure skip verify option** (not recommended).
 
-When you are done entering the destination details, select **Continue**.
+When you are done entering the destination details, click **Continue**.
 
 7. Select the dataset to push to the storage service.
 
@@ -41,7 +41,7 @@ When you are done entering the destination details, select **Continue**.
    - Select a [sampling rate](/logs/get-started/api-configuration/#sampling-rate) for your logs or push a randomly-sampled percentage of logs.
    - Enable redaction for `CVE-2021-44228`. This option will replace every occurrence of `${` with `x{`.
 
-10. Select **Submit** once you are done configuring your logpush job.
+10. Click **Submit** once you are done configuring your logpush job.
 
 ## Manage via API
 
@@ -64,10 +64,10 @@ To create a job, make a `POST` request to the Logpush jobs endpoint with the fol
 - **destination_conf** - A log destination consisting of an endpoint URL, channel id, insecure-skip-verify flag, source type, authorization header in the string format below.
 
   - **\<SPLUNK_ENDPOINT_URL>**: The Splunk raw HTTP Event Collector URL with port. For example: `splunk.cf-analytics.com:8088/services/collector/raw`.
-    - Cloudflare expects the HEC network port to be configured to `:443` or `:8088`.
+    - Currently, HEC network port has to be configured to either `443` or `8088`.
     - Cloudflare expects the Splunk endpoint to be `/services/collector/raw` while configuring and setting up the Logpush job.
     - Ensure you have enabled HEC in Splunk. Refer to [Splunk Analytics Integrations](/analytics/analytics-integrations/splunk/) for information on how to set up HEC in Splunk.
-    - You may notice an API request failed with a 504 error, when adding an incorrect URL. Splunk Cloud endpoint URL usually contains `http-inputs-` or similar text before the hostname. Refer to [Send data to HTTP Event Collector on Splunk Cloud Platform](https://docs.splunk.com/Documentation/Splunk/latest/Data/UsetheHTTPEventCollector#Send_data_to_HTTP_Event_Collector) for more details.
+    - You may notice an API request failed with a 504 error, when adding an incorrect URL. Splunk Cloud endpoint URL usually contains `http-inputs-` or similar text before the hostname.
   - **\<SPLUNK_CHANNEL_ID>**: A unique channel ID. This is a random GUID that you can generate by:
     - Using an online tool like the [GUID generator](https://www.guidgenerator.com/).
     - Using the command line. For example: `python -c 'import uuid; print(uuid.uuid4())'`.

From 4fbf86fe451e7ee210f325f7b68745197ad6892e Mon Sep 17 00:00:00 2001
From: angelampcosta <92738954+angelampcosta@users.noreply.github.com>
Date: Mon, 23 Jun 2025 14:54:04 +0100
Subject: [PATCH 2/2] Apply suggestions from code review

---
 .../docs/logs/get-started/enable-destinations/splunk.mdx     | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/src/content/docs/logs/get-started/enable-destinations/splunk.mdx b/src/content/docs/logs/get-started/enable-destinations/splunk.mdx
index 3908802b60a8c0e..f1b880fe07d5ca9 100644
--- a/src/content/docs/logs/get-started/enable-destinations/splunk.mdx
+++ b/src/content/docs/logs/get-started/enable-destinations/splunk.mdx
@@ -25,7 +25,7 @@ The [HTTP Event Collector (HEC)](https://dev.splunk.com/enterprise/docs/devtools
    - **Source Type** - For example, `cloudflare:json`. If you are using the [Cloudflare App for Splunk](https://splunkbase.splunk.com/app/4501), refer to the appropriate source type for the corresponding datasets under the **Details** section. For instance, for Zero Trust Access requests logs, the source type is `cloudflare:access`.
    - **Use insecure skip verify option** (not recommended).
 
-When you are done entering the destination details, click **Continue**.
+When you are done entering the destination details, select **Continue**.
 
 7. Select the dataset to push to the storage service.
 
@@ -41,7 +41,7 @@ When you are done entering the destination details, click **Continue**.
    - Select a [sampling rate](/logs/get-started/api-configuration/#sampling-rate) for your logs or push a randomly-sampled percentage of logs.
    - Enable redaction for `CVE-2021-44228`. This option will replace every occurrence of `${` with `x{`.
 
-10. Click **Submit** once you are done configuring your logpush job.
+10. Select **Submit** once you are done configuring your logpush job.
 
 ## Manage via API
 
@@ -64,7 +64,6 @@ To create a job, make a `POST` request to the Logpush jobs endpoint with the fol
 - **destination_conf** - A log destination consisting of an endpoint URL, channel id, insecure-skip-verify flag, source type, authorization header in the string format below.
 
   - **\<SPLUNK_ENDPOINT_URL>**: The Splunk raw HTTP Event Collector URL with port. For example: `splunk.cf-analytics.com:8088/services/collector/raw`.
-    - Currently, HEC network port has to be configured to either `443` or `8088`.
     - Cloudflare expects the Splunk endpoint to be `/services/collector/raw` while configuring and setting up the Logpush job.
     - Ensure you have enabled HEC in Splunk. Refer to [Splunk Analytics Integrations](/analytics/analytics-integrations/splunk/) for information on how to set up HEC in Splunk.
     - You may notice an API request failed with a 504 error, when adding an incorrect URL. Splunk Cloud endpoint URL usually contains `http-inputs-` or similar text before the hostname.