Splunk
SIEM·Forwarding since 12 Apr 2026
Forwarding
Forwards every normalised AI event to the Acme SOC's Splunk index. Same payload as the in-platform Logs view, mapped to OCSF 1.1.0. Customer-controlled HEC endpoint, token never leaves the customer tenant.
Status
Healthy
No errors in last 7d
Last forward
8s ago
Forwarded (24h)
2,108
Connection
- Endpoint
- https://acme.splunkcloud.com:8088/services/collector/event ····
- Index / workspace
- acme-prod-ai
- Sourcetype
- isochronic:event
- Format
- OCSF 1.1.0
Forwarding rules
- All policy_outcome events
- All data_access events where data_class ∈ {PII, HR, financial}
- All oauth_grant events
- All config_change events
- usage events: aggregate hourly (not per-event)
- tool_call events: only outcome ≠ allowed
Where these events land
- SOC Splunk Search (every Isochronic event)
- Splunk alerts on policy_outcome=denied
Recent forwards
- 14:23:01policy_outcomesubagent.spawn · deniedseq 481204
- 14:18:42data_accessdocument.read · HRseq 481203
- 14:11:09config_changecopilot.seat.activeseq 481202
- 14:08:14oauth_grantconsumer ChatGPTseq 481201
Errors (last 7d)
None. The destination has acknowledged every batch.