Skip to main content
This feature is in beta. Help us shape it.
Connect Splunk to give Tero context and enable actions directly in your instance.

Connect

1

Run tero

Open your terminal and run:
tero
This opens the Tero TUI, which guides you through setup.
Don’t have the CLI installed? See the quickstart.
2

Log in to Tero

The TUI opens your browser to create an account or log in. Complete the flow in your browser, then confirm the code shown in your terminal. The TUI logs you in automatically.
3

Select Splunk

The TUI asks which integration you want to connect. Select Splunk.
4

Enter your Splunk URL

Enter your Splunk instance URL. For Splunk Cloud, this is your-instance.splunkcloud.com. For Splunk Enterprise, it’s your self-hosted URL.
5

Create an authentication token

The TUI asks for an authentication token. Splunk uses this to authenticate API requests.In Splunk, go to Settings → Tokens. Click New Token, select a user with the appropriate role (see Permissions), and set an expiration. Copy the token and paste it into the TUI.
6

Done

Tero validates your credentials and starts analyzing your environment. You’ll see a progress bar — analysis usually takes a couple of minutes, even with billions of logs.Once it’s done, you’re ready to ask your first question.

Context

When you connect Splunk, Tero adds to your context graph. Your logs and services become connected and understood.

Services

Your services and their relationships.

Log Events

Your logs compressed into semantic events Tero can reason about.

Actions

With write access, Tero can take action directly in Splunk:
Tero configuring Splunk

Ingest Actions

Tero configures rulesets to filter waste logs before indexing.
These are Splunk-specific. You can always take action other ways — deploy policies to your infrastructure with Edge, adjust instrumentation in your code, or configure Splunk manually. See Taking action for all options.

Permissions

Splunk uses capabilities to control access. Create a role with the capabilities Tero needs, or use an existing role.
RoleWhat it gives Tero
adminFull context and actions
powerContext only — you take action elsewhere
CustomYou decide — see below

Custom role capabilities

Create a custom role if you need fine-grained control.
CapabilityWhat Tero can do
searchSearch your logs
list_inputsList data inputs
get_metadataRead index metadata
CapabilityWhat Tero can do
list_ingest_rulesetsView ingest action rulesets
edit_ingest_rulesetsCreate and modify rulesets
Start minimal and add capabilities later. Update the token’s role in Splunk and Tero picks up the changes automatically.