1. First of all, remember the hostname of your Splunk Cloud instance - it will be needed later when configuring Kaduu to send alerts to Splunk. The hostname will be different from the one you see on the screenshot!

2. Go to "Settings" → "Data Inputs"

3. Add a new HTTP Event Collector by clicking the "Add New" link

4. Put any name for that collector and hit "Next"

5. Set "Source Type" as "Automatic"

6. Select any index as default - all Kaduu events will be stored there

7. Hit "Review"

8. Check all settings are valid on the Review page and hit next. Splunk will say that "Token has been created successfully" and show you a token, that you should copy and save it somewhere - it will be used later when configuring everything from Kaduu

9. Go to "Settings" → "Source types"

10. Click "New Source Type" green button on the right

11. Name the source as “Kaduu”, make sure “Destination app” has “Search & Reporting”, in “Indexed extractions” choose “json”, then click “Advanced” tab

12. On the Advanced tab you have to add 4 new entries (click “New setting” link below the list each time):

• BREAK_ONLY_BEFORE, value: (\{|\[\s+{)
• LINE_BREAKER, value: (\{|\[\s+{)
• MUST_BREAK_AFTER, value: (\}|\}\s+\])
• TIME_PREFIX, value: \"createdAt\":\"

13. Then go to main menu, to "Settings" → "Data inputs" → "HTTP Event Collector" (we created it before) → "Edit". You will see this form. Choose “Set Source Type” to “Entered sourcetype”, and “Source type” field - enter “Kaduu” in the dropdown. Others fields should be the same, hit "Save".

14. Configure your Kaduu account to send alerts over HTTP

15. Enter webhook URL in this form: https://<host>.splunkcloud.com:8088/services/collector/raw?token=<token>, where <host> is the hostname of your Splunk instance and <token> is the token you copied on the previous step

16. Hit "Save" and wait for new alert events to arrive to your Splunk instance

17. Warning! If you are not using the Cloud edition of Splunk (that is, it doesn't have splunkcloud.com in URL), please make sure you enable the Query String authentication in your Splunk settings.