# Example: How to use Splunk to audit S3

Setting up an HTTP Event Collector (HEC).

#### Step 1: Configure the HEC

Follow the steps in [Enable HTTP Event Collector on Splunk](https://docs.splunk.com/Documentation/Splunk/8.0.3/Data/UsetheHTTPEventCollector#Enable_HTTP_Event_Collector_on_Splunk_Enterprise). Since the S3 event stream is provided in JSON  format, choose `_json` as the data source type.

#### Step 2: Create a token

Follow the steps in [Create an Event Collector token on Splunk](https://docs.splunk.com/Documentation/Splunk/8.0.3/Data/UsetheHTTPEventCollector#Create_an_Event_Collector_token_on_Splunk_Enterprise) to create a token that Weka will use to access the Splunk as HTTP webhook. You can create a new index or use an existing one for easy discovery/monitor/query. 

Copy the created token for later use.

#### Step 3: Test the configuration

To validate the configuration, send a test event as suggested in the [JSON request and response](https://docs.splunk.com/Documentation/Splunk/8.0.3/Data/UsetheHTTPEventCollector#JSON_request_and_response) section.

```
curl -k  https://hec.example.com:8088/services/collector/raw -H "Authorization: Splunk B5A79AAD-D822-46CC-80D1-819F80D7BFB0" -d '{"event": "hello world"}'
{"text": "Success", "code": 0}
```

Once completed, you can search the index you have created in Splunk and see this event.

#### Step 4: Configure the audit webhook in Weka

As a cluster admin, run the following CLI command to enable the audit webhook:

```
weka s3 cluster audit-webhook enable --endpoint=https://splunk-server:8088/services/collector/raw --auth-token='\"Splunk B5A79AAD-D822-46CC-80D1-819F80D7BFB0\"'
```