Splunk

The Splunk service lets your agent run SPL queries against your own log data during simulations. Upload a log file via the console, then your agent hits the usual Splunk REST endpoints.

Enable the service

.veris/veris.yaml


services:
  - name: splunk

Requests to *.splunkcloud.com are routed to the mock automatically via DNS interception. For self-hosted Splunk deployments, add your own hostnames under dns_aliases.

Provide your log data

Upload a log file via the Datasets section on your Environment page in the console. Select the splunk service, choose CSV or NDJSON as the format, and upload your file.

One dataset per service per environment.

Endpoints

Endpoint	Purpose
`POST /services/search/jobs`	Create a search job with an SPL query
`GET /services/search/jobs/{sid}/results`	Retrieve search results
`GET /services/search/jobs/{sid}/events`	Retrieve events
`GET /services/search/jobs/{sid}/summary`	Field summary statistics
`GET /services/search/jobs/{sid}/timeline`	Timeline buckets
`POST /services/collector/event`	HEC — ingest events
`GET /services/saved/searches`	List saved searches

All v2 equivalents (/services/search/v2/jobs/...) are also supported.

Services
Elasticsearch — the other log-shaped service
veris.yaml reference

Splunk

Enable the service

Provide your log data

Endpoints

Related docs