Skip to main content

Splunk Authentication Token



  • Documentation:
  • Summary: Splunk is a company providing data analysis software. This detector focuses on detecting tokens used to access Splunk's API.
  • IPs allowlist: It is not possible to set a specific IP allowlisting for a token. It will share the same allowlisting as the instance.
  • Scopes: Different scopes can be selected when creating a token, for example a token may grant access to only one server.

Revoke the secret

This can be done by the user who issued the token or an administrator.

Check for suspicious activity

Access logs are available on the Enterprise instance as described in the access logs documentation.

Details for Splunk token

  • Family: Api

  • Category: Monitoring

  • Company: Splunk

  • High recall: False

  • Validity check available: False

  • Minimum number of matches: 1

  • Occurrences found for one million commits: 6.95

  • Prefixed: False

  • PreValidators:

- type: ContentWhitelistPreValidator
- splunk


- text: "SPLUNK_TOKEN1 = '851A5E58-4EF1-7291-F947-C612A9654321'"
token: 851A5E58-4EF1-7291-F947-C612A9654321
- text: 'splunk-token=176fcebf-4cf5-4edf-91bc-728408560464'
token: 176fcebf-4cf5-4edf-91bc-728408560464
- text: |
some context with the word splunk somewhere
access_token: '08243c00-a31b-499d-9fae-763b41990326'"
token: 08243c00-a31b-499d-9fae-763b41990326
- text: -Dsplunk_token=D6BD1AD4-CB62-4D80-A637-593EE2B17391\
token: D6BD1AD4-CB62-4D80-A637-593EE2B17391

How can I help you ?