Splunk HEC

Stream Policy Gateway policy events to Splunk via HTTP Event Collector.

Configure

In the console, add a connector with:

Field	Value
Type	Splunk HEC
URL	`https://<splunk-host>:8088/services/collector/event`
Token	Your HEC token
Index	e.g. `ai_audit`
Source type	`_json`

Event shape

Events are sent as HEC-formatted JSON:

{
  "time": 1745179800,
  "sourcetype": "_json",
  "index": "ai_audit",
  "event": {
    "event_id": "3d14a2b8-...",
    "event_type": "enforcement",
    "policy_id": "support-bot",
    "decision": "refuse",
    "effective_decision": "allow",
    "enforced": false,
    "rollout_mode": "shadow",
    "reason_code": "REFUSE",
    "triggered_categories": [],
    "denylist_hits": ["competitor-x"],
    "policy_target": "chat.completions",
    "project_id": "proj_support_bot",
    "model": "abliterated-model"
  }
}

See the full field list in connectors.

Verify

index=ai_audit sourcetype=_json
| stats count by decision, reason_code

Troubleshooting

403 Forbidden — HEC token lacks write access to the index.
Batches stuck — HEC endpoint not reachable from abliteration.ai. Allowlist the egress IPs shown in the console.

Get started

Capabilities

Integrations

Policy Gateway

Reference

Configure

Event shape

Verify

Troubleshooting

Get started

Capabilities

Integrations

Policy Gateway

Reference

​Configure

​Event shape

​Verify

​Troubleshooting

Configure

Event shape

Verify

Troubleshooting