From d4e0c4f090fcbe84820911e2f3470c681f8568cc Mon Sep 17 00:00:00 2001
From: Angela Costa <acosta@cloudflare.com>
Date: Fri, 31 Oct 2025 09:24:07 +0000
Subject: [PATCH 1/4] Fix format and clarify example

---
 .../logpush/logpush-job/enable-destinations/splunk.mdx | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/content/docs/logs/logpush/logpush-job/enable-destinations/splunk.mdx b/src/content/docs/logs/logpush/logpush-job/enable-destinations/splunk.mdx
index f076d965bf3bcc4..af5eeb3b7010d60 100644
--- a/src/content/docs/logs/logpush/logpush-job/enable-destinations/splunk.mdx
+++ b/src/content/docs/logs/logpush/logpush-job/enable-destinations/splunk.mdx
@@ -69,12 +69,12 @@ To create a job, make a `POST` request to the Logpush jobs endpoint with the fol
     - Using the command line. For example: `python -c 'import uuid; print(uuid.uuid4())'`.
   - **\<INSECURE_SKIP_VERIFY>**: Boolean value. Cloudflare recommends setting this value to `false`. Setting this value to `true` is equivalent to using the `-k` option with `curl` as shown in Splunk examples and is **not** recommended. Only set this value to `true` when HEC uses a self-signed certificate.
 
-:::note
-Cloudflare highly recommends setting this value to <code class="InlineCode">false</code>. Refer to the [Logpush FAQ](/logs/faq/logpush/) for more information.
-:::
+  :::note
+  Cloudflare highly recommends setting this value to <code class="InlineCode">false</code>. Refer to the [Logpush FAQ](/logs/faq/logpush/) for more information.
+  :::
 
-- `<SOURCE_TYPE>`: The Splunk source type. For example: `cloudflare:json`.
-- `<SPLUNK_AUTH_TOKEN>`: The Splunk authorization token that is URL-encoded. For example: `Splunk%20e6d94e8c-5792-4ad1-be3c-29bcaee0197d`.
+  - **\<SOURCE_TYPE>**: The Splunk source type. For example: `cloudflare:json`.
+  - **\<SPLUNK_AUTH_TOKEN>**: The Splunk authorization token that is URL-encoded and must be prefixed with the word `Splunk`. For example: `Splunk<%20e6d94e8c-5792-4ad1-be3c-29bcaee0197d>`.
 
 ```bash
 "splunk://<SPLUNK_ENDPOINT_URL>?channel=<SPLUNK_CHANNEL_ID>&insecure-skip-verify=<INSECURE_SKIP_VERIFY>&sourcetype=<SOURCE_TYPE>&header_Authorization=<SPLUNK_AUTH_TOKEN>"

From e5f014fa5a7ac640b11cecb08cc6066a1174446c Mon Sep 17 00:00:00 2001
From: Angela Costa <acosta@cloudflare.com>
Date: Fri, 31 Oct 2025 09:29:06 +0000
Subject: [PATCH 2/4] Add example

---
 .../logs/logpush/logpush-job/enable-destinations/splunk.mdx     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/content/docs/logs/logpush/logpush-job/enable-destinations/splunk.mdx b/src/content/docs/logs/logpush/logpush-job/enable-destinations/splunk.mdx
index af5eeb3b7010d60..6ec39d836f52db9 100644
--- a/src/content/docs/logs/logpush/logpush-job/enable-destinations/splunk.mdx
+++ b/src/content/docs/logs/logpush/logpush-job/enable-destinations/splunk.mdx
@@ -21,7 +21,7 @@ The [HTTP Event Collector (HEC)](https://dev.splunk.com/enterprise/docs/devtools
 5. Enter or select the following destination information:
    - **Splunk HEC URL**
    - **Channel ID** - This is a random GUID that you can generate using [guidgenerator.com](https://guidgenerator.com/).
-   - **Auth Token** - Event Collector token.
+   - **Auth Token** - Event Collector token prefixed with the word `Splunk`. For example: `Splunk 1234EXAMPLEKEY`.
    - **Source Type** - For example, `cloudflare:json`. If you are using the [Cloudflare App for Splunk](https://splunkbase.splunk.com/app/4501), refer to the appropriate source type for the corresponding datasets under the **Details** section. For instance, for Zero Trust Access requests logs, the source type is `cloudflare:access`.
    - **Use insecure skip verify option** (not recommended).
 

From 92b46baa8665b12181d68effb4876ceef90dcb0f Mon Sep 17 00:00:00 2001
From: angelampcosta <92738954+angelampcosta@users.noreply.github.com>
Date: Fri, 31 Oct 2025 11:37:30 +0000
Subject: [PATCH 3/4] Update
 src/content/docs/logs/logpush/logpush-job/enable-destinations/splunk.mdx

Co-authored-by: Pedro Sousa <680496+pedrosousa@users.noreply.github.com>
---
 .../logs/logpush/logpush-job/enable-destinations/splunk.mdx     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/content/docs/logs/logpush/logpush-job/enable-destinations/splunk.mdx b/src/content/docs/logs/logpush/logpush-job/enable-destinations/splunk.mdx
index 6ec39d836f52db9..ba202e257c45162 100644
--- a/src/content/docs/logs/logpush/logpush-job/enable-destinations/splunk.mdx
+++ b/src/content/docs/logs/logpush/logpush-job/enable-destinations/splunk.mdx
@@ -70,7 +70,7 @@ To create a job, make a `POST` request to the Logpush jobs endpoint with the fol
   - **\<INSECURE_SKIP_VERIFY>**: Boolean value. Cloudflare recommends setting this value to `false`. Setting this value to `true` is equivalent to using the `-k` option with `curl` as shown in Splunk examples and is **not** recommended. Only set this value to `true` when HEC uses a self-signed certificate.
 
   :::note
-  Cloudflare highly recommends setting this value to <code class="InlineCode">false</code>. Refer to the [Logpush FAQ](/logs/faq/logpush/) for more information.
+  Cloudflare highly recommends setting this value to `false`. Refer to the [Logpush FAQ](/logs/faq/logpush/) for more information.
   :::
 
   - **\<SOURCE_TYPE>**: The Splunk source type. For example: `cloudflare:json`.

From 664eefdb8bd9fbd6183a5782fadb68230e1ff678 Mon Sep 17 00:00:00 2001
From: Angela Costa <acosta@cloudflare.com>
Date: Fri, 31 Oct 2025 11:43:11 +0000
Subject: [PATCH 4/4] Corrects example

---
 .../logs/logpush/logpush-job/enable-destinations/splunk.mdx     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/content/docs/logs/logpush/logpush-job/enable-destinations/splunk.mdx b/src/content/docs/logs/logpush/logpush-job/enable-destinations/splunk.mdx
index ba202e257c45162..0ea8c07a349da29 100644
--- a/src/content/docs/logs/logpush/logpush-job/enable-destinations/splunk.mdx
+++ b/src/content/docs/logs/logpush/logpush-job/enable-destinations/splunk.mdx
@@ -74,7 +74,7 @@ To create a job, make a `POST` request to the Logpush jobs endpoint with the fol
   :::
 
   - **\<SOURCE_TYPE>**: The Splunk source type. For example: `cloudflare:json`.
-  - **\<SPLUNK_AUTH_TOKEN>**: The Splunk authorization token that is URL-encoded and must be prefixed with the word `Splunk`. For example: `Splunk<%20e6d94e8c-5792-4ad1-be3c-29bcaee0197d>`.
+  - **\<SPLUNK_AUTH_TOKEN>**: The Splunk authorization token that is URL-encoded and must be prefixed with the word `Splunk`. For example: `Splunk e6d94e8c-5792-4ad1-be3c-29bcaee0197d`.
 
 ```bash
 "splunk://<SPLUNK_ENDPOINT_URL>?channel=<SPLUNK_CHANNEL_ID>&insecure-skip-verify=<INSECURE_SKIP_VERIFY>&sourcetype=<SOURCE_TYPE>&header_Authorization=<SPLUNK_AUTH_TOKEN>"