> ## Documentation Index
> Fetch the complete documentation index at: https://docs.rootly.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Splunk

> Connect Splunk to Rootly using the official Rootly Splunk app to forward saved search alerts, trigger on-call paging, and automate incident creation.

## Introduction

The Splunk integration connects Rootly with Splunk Enterprise or Splunk Cloud so teams can receive alerts from saved searches as Rootly alerts and trigger on-call paging directly from Splunk alert actions.

With the Splunk integration, you can:

* Forward Splunk saved search alerts to Rootly as alerts
* Page Rootly on-call targets directly from Splunk alert actions
* Use alert workflows to create incidents and automate follow-up actions from Splunk search results

## Before You Begin

Before setting up the integration, make sure you have:

* A Rootly account with permission to manage integrations and alert sources
* Splunk Enterprise or Splunk Cloud with admin access to install apps on search heads
* The integration URL or key from your Rootly Splunk alert source settings

<Callout icon="info" color="#DBEAFE">
  The Rootly Splunk app must be installed on your **search heads**. It does not need to be installed on indexers or forwarders.
</Callout>

## Installation

<Steps>
  <Step title="Create a Splunk alert source in Rootly" icon="plug">
    Navigate to **Settings > Alert Sources** in Rootly and create a new alert source. Select **Splunk** and give it a descriptive name.

    Copy the **integration URL** or **integration key** shown after saving — you will need this when configuring the Splunk app.
  </Step>

  <Step title="Install the Rootly app in Splunk" icon="download">
    Install the Rootly app from Splunkbase:

    [Rootly App on Splunkbase](https://splunkbase.splunk.com/app/7721)

    Install the app via **Splunk Web Admin** on your search heads.

    <Callout icon="triangle-exclamation" color="#FEF3C7">
      The app must be installed on search heads. Alerts in Splunk are triggered from search heads, so the Rootly alert action will not be available unless the app is installed there.
    </Callout>
  </Step>

  <Step title="Configure the Rootly app" icon="gear">
    After installation, configure the Rootly app using the integration URL or key from your Rootly alert source settings.

    <Callout icon="key" color="#DBEAFE">
      Use the full integration URL if prompted, or the integration key alone depending on the app version. Both are available from your Rootly Splunk alert source settings.
    </Callout>
  </Step>

  <Step title="Add the Rootly alert action to a saved search" icon="bell">
    In Splunk, open a saved search and navigate to its **Alert Actions**. Add the **Rootly** action and configure it to forward alerts when the search fires.

    <Callout icon="lightbulb" color="#DBEAFE">
      You can configure different saved searches to route to different Rootly on-call targets by using separate alert sources or by including notification target parameters in the action configuration.
    </Callout>
  </Step>
</Steps>

## How Alerts Are Mapped

Rootly extracts the following fields from each Splunk alert payload:

* **Summary** — the `search_name` field (the name of the saved search that fired)
* **External ID** — the `sid` (search ID), used to identify the alert
* **External URL** — the `results_link`, linking back to the Splunk search results
* **Started at** — the `result._time` field, parsed as a Unix timestamp

<Callout icon="tag" color="#DBEAFE">
  The Splunk `search_name` becomes the alert summary in Rootly. Use descriptive saved search names to make it easy to identify alerts in Rootly workflows and the alert feed.
</Callout>

## Troubleshooting

<AccordionGroup>
  <Accordion title="The Rootly alert action is not appearing in Splunk saved search settings" icon="circle-exclamation">
    Confirm the Rootly app is installed on the search head where you are configuring the saved search. The alert action is only available on nodes where the app is installed.
  </Accordion>

  <Accordion title="Alerts are not appearing in Rootly after a saved search fires" icon="eye-slash">
    Verify that the integration URL or key configured in the Rootly app matches what is shown in your Rootly Splunk alert source settings. Check the Splunk alert action logs for delivery errors.
  </Accordion>

  <Accordion title="The search_name or results_link is missing from the Rootly alert" icon="file-circle-question">
    Rootly extracts these fields from the standard Splunk alert payload. Confirm the saved search is configured to include search results and metadata in the alert action payload.
  </Accordion>
</AccordionGroup>

## Uninstall

To remove the Splunk integration, open the integrations panel in Rootly and select **Configure > Delete**. You can also uninstall the Rootly app from Splunk Web Admin.