Re: Splunk Add-on for Stream

gitau_gm · ‎01-08-2026

In our Splunk cloud instance, we recently had Stream installed and we are testing on one of the servers. Getting a 401 error, that points to an authentication issue.

What is the correct position?

Do we create a HEC token for Stream or does the app have a preconfigured key?

marnall · ‎01-20-2026

According to the Splunk Stream for Cloud deployment architecture, you need a HEC token only if you are using a Independent Stream Forwarder (ISF). If the Stream Add-on for Stream Forwarders is installed on a universal or heavy forwarder, then the data is sent to the indexers via the Splunk2Splunk protocol. If you are receiving any logs from your server already, then your Splunk2Splunk data stream authentication is working.

If you are using the add-on on the universal forwarder, then it does request stream configurations from the search head and will likely need to authenticate these requests. Are your internal logs showing status:401 errors connecting to the /streams/ endpoint of your Splunk cloud tenant?

Ref: https://help.splunk.com/en/splunk-cloud-platform/collect-stream-data/install-and-configure-splunk-st...

Splunk Add-on for Stream

configuration

troubleshooting

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

Analytics Workspace deprecation

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Join the Conversation