---
title: Splunk
description: Capture events from Splunk and overlay them onto key metrics graphs.
breadcrumbs: Docs > Integrations > Splunk
---

# Splunk
Integration version1.0.0
{% callout %}
# Important note for users on the following Datadog sites: us2.ddog-gov.com

{% alert level="info" %}
To find out if this integration is available in your organization, see your [Datadog Integrations](https://app.datadoghq.com/integrations) page or ask your organization administrator.

To initiate an exception request to enable this integration for your organization, email [support@ddog-gov.com](mailto:support@ddog-gov.com).
{% /alert %}

{% /callout %}

## Overview{% #overview %}

Connect your Splunk log monitoring to be able to:

- Get notified of your reports.
- Correlate these reports with your other metrics
- Collaborate with your team on those events

## Setup{% #setup %}

### Installation{% #installation %}

To receive your reports from Splunk into Datadog, you need to have the `datadog` python library installed on your splunk server:

```bash
pip install datadog
```

Once it is done, [get your api key and an application key](https://app.datadoghq.com/organization-settings/api-keys) and drop the following `dog-splunk.sh` script into $SPLUNK_HOME/bin/scripts

```bash
#!/bin/bash
export API_KEY=YOURAPIKEYHERE
export APP_KEY=YOURAPPKEYHERE

dog --api-key $API_KEY --application-key $APP_KEY event post \
"Found $SPLUNK_ARG_1 events in splunk" \
"Matching $SPLUNK_ARG_2 based on $SPLUNK_ARG_5," \
" from report $SPLUNK_ARG_4. More details at $SPLUNK_ARG_6." \
 --aggregation_key $SPLUNK_ARG_3 --type splunk
```

Make sure the script is executable and owned by the `splunk` user and group.

Once the script is in place, create a new report or navigate to an existing report. Click the **Edit Schedule** and check the checkbox to **Schedule the Report**. When you get to the option to **Run a Script**, enter `dog-splunk.sh` in the Filename textbox. Click **Save** and you should see the results start appearing in your Event Stream.

## Troubleshooting{% #troubleshooting %}

If you see an error code on each run of `runshellscript` in `splunkd.log`, try adding `> dog_splunk_trace.txt 2>&1` to the end of the last command. This creates a `$SPLUNK_HOME/etc/apps/search/bin/dog_splunk_trace.txt` file, which provides more detail about the problem.

If the trace file has something like the usage help for the `dog` command followed by `dog: error: unrecognized arguments: OR failed OR severe`, add single quotes around `\$SPLUNK_ARG_3` on the last line.

If the trace file includes a Traceback that ends with `pkg_resources.DistributionNotFound` or something similar, add three `unset`s to the top of your `dog-splunk.sh` script:

```bash
#!/bin/bash
unset PYTHONHOME
unset PYTHONPATH
unset LD_LIBRARY_PATH
export API_KEY=YOURAPIKEYHERE
export APP_KEY=YOURAPPKEYHERE

dog --api-key $API_KEY --application-key $APP_KEY event post \
"Found $SPLUNK_ARG_1 events in splunk" \
"Matching $SPLUNK_ARG_2 based on $SPLUNK_ARG_5," \
" from report $SPLUNK_ARG_4. More details at $SPLUNK_ARG_6." \
 --aggregation_key $SPLUNK_ARG_3 --type splunk
```

## Further Reading{% #further-reading %}

- [Correlate metrics and logs with Datadog and Splunk](https://www.datadoghq.com/blog/integrate-splunk-datadog-put-microscope-application-monitoring/)