Stream Policy Gateway policy events to Splunk via HTTP Event Collector.
In the console, add a connector with:
| Field | Value |
|---|
| Type | Splunk HEC |
| URL | https://<splunk-host>:8088/services/collector/event |
| Token | Your HEC token |
| Index | e.g. ai_audit |
| Source type | _json |
Event shape
Events are sent as HEC-formatted JSON:
{
"time": 1745179800,
"sourcetype": "_json",
"index": "ai_audit",
"event": {
"event_id": "3d14a2b8-...",
"event_type": "enforcement",
"policy_id": "support-bot",
"decision": "refuse",
"effective_decision": "allow",
"enforced": false,
"rollout_mode": "shadow",
"reason_code": "REFUSE",
"triggered_categories": [],
"denylist_hits": ["competitor-x"],
"policy_target": "chat.completions",
"project_id": "proj_support_bot",
"model": "abliterated-model"
}
}
Verify
index=ai_audit sourcetype=_json
| stats count by decision, reason_code
Troubleshooting
- 403 Forbidden — HEC token lacks write access to the index.
- Batches stuck — HEC endpoint not reachable from abliteration.ai. Allowlist the egress IPs shown in the console.
Last modified on April 21, 2026
