[Logs] Document Splunk AWS add-on R2 credential limitation

[rianvdm]

Summary

Adds a troubleshooting subsection to the Splunk Logpush destination page explaining why the Splunk Add-on for AWS cannot read from R2, and documents three supported ways to get Cloudflare logs into Splunk instead.

The add-on validates credentials against AWS STS before saving them, so R2 credentials are always rejected — a recurring support question. The new section covers:

• Why account-level validation blocks R2, and which input-level workarounds do not help.
• Sending logs to the Splunk HTTP Event Collector with Logpush (including a Cloudflare Tunnel path for on-premises Splunk).
• Using Azure Blob Storage as a polled intermediary.
• Pulling objects from R2 with the AWS CLI for existing R2 Logpush setups.

It also fixes a pre-existing heading-numbering bug on the page (the API section jumped from ### 1 to ### 3).

Documentation checklist

• The change adheres to the documentation style guide.

[github-actions]

This pull request requires reviews from CODEOWNERS as it changes files that match the following patterns:

Pattern	Owners
/src/content/docs/logs/	@soheiokamoto, @angelampcosta, @rianvdm, @dcpena, @cloudflare/product-owners

[cloudflare-docs-bot]

Review

⚠️ 5 warnings found in commit f15f740.

Warnings (5)

File	Issue
logs/logpush/logpush-job/enable-destinations/splunk.mdx line 284	Directional words — This applies to all three approaches below. Fix: Replace with a direct reference by name or link.
logs/logpush/logpush-job/enable-destinations/splunk.mdx line 293	Escape angle brackets in MDX prose — Line adds unescaped > in prose: <Steps> Fix: Replace > with &gt; or wrap the text in backticks.
logs/logpush/logpush-job/enable-destinations/splunk.mdx line 305	Escape angle brackets in MDX prose — Line adds unescaped > in prose: </Steps> Fix: Replace > with &gt; or wrap the text in backticks.
logs/logpush/logpush-job/enable-destinations/splunk.mdx line 322	Escape angle brackets in MDX prose — Line adds unescaped < in prose: ENDPOINT="https://<ACCOUNT_ID>.r2.cloudflarestorage.com" Fix: Replace < with &lt; or wrap the text in backticks.
logs/logpush/logpush-job/enable-destinations/splunk.mdx line 323	Escape angle brackets in MDX prose — Line adds unescaped < in prose: aws s3 sync s3://<BUCKET_NAME>/ /opt/splunk/var/log/cloudflare/ --endpoint-url "$ENDPOINT" Fix: Replace < with &lt; or wrap the text in backticks.

Commands

Only codeowners can run commands. Post a comment with the command to trigger it.

Command	Description
/review	Runs a review now. Incremental if a prior review exists, full if not.
/full-review	Re-reviews the entire PR diff from scratch, ignoring incremental history. Useful after a rebase, when you want a fresh review, or if the bot gets out of sync and reports issues that no longer exist.

[ask-bonk]

2 issues need attention before merge.

HIGH — : Step 5 incorrectly frames the WAF custom rule as a way to "restrict access." The linked rule is a skip rule that allows Logpush requests to bypass WAF. Suggested inline.

MEDIUM — : The admonition contains 5 bullet items. The style guide recommends keeping admonitions to ~3 paragraphs or bullet items. Suggested inline.

Overall the troubleshooting section is well-structured and the heading-numbering fix is correct.

[ask-bonk]

This admonition exceeds the recommended length. Move the list into regular prose:

Suggested change

	- Setting `host_name` to your R2 endpoint in `inputs.conf`.
	- Setting `sts_private_endpoint_url` to a non-AWS endpoint.
	- Changing the region to `auto` or `us-east-1`.
	- Clearing the private endpoint option.
	:::
	R2 S3 API compatibility is not the cause. R2 supports the S3 operations that Splunk uses, including `ListObjectsV2`, `GetObject`, and `HeadObject`, and authenticates with Signature Version 4. For details, refer to [R2 S3 API compatibility](/r2/api/s3/api/).
	Use one of the following approaches to send Cloudflare logs to Splunk instead.
	:::caution
	The following changes do not resolve the error, because the failure happens during account validation.
	:::
	The account-level validation blocks every input-level workaround:
	- Entering an R2 access key and secret in the account configuration screen.
	- Setting `host_name` to your R2 endpoint in `inputs.conf`.
	- Setting `sts_private_endpoint_url` to a non-AWS endpoint.
	- Changing the region to `auto` or `us-east-1`.
	- Clearing the private endpoint option.

[ask-bonk]

The WAF custom rule in the linked section allows Logpush traffic to bypass WAF, so "Restrict access" is misleading.

Suggested change

	#### Use cloud storage as an intermediary
	5. Create a [WAF custom rule](#2-create-waf-custom-rule-for-splunk-hec-endpoint-optional) to allow Logpush requests, or restrict access with an Access service token.

[ask-bonk]

Review complete. I posted two inline suggestions and applied labels documentation and product:logs.

Summary of findings:

• HIGH — splunk.mdx:307: Step 5 in the Cloudflare Tunnel procedure incorrectly describes the WAF custom rule as a way to "restrict access." The linked rule is a skip rule that allows Logpush requests to bypass WAF. Posted an inline suggestion to rephrase it.
• MEDIUM — splunk.mdx:273–281: The :::caution admonition contains 5 bullet items. The style guide recommends keeping admonitions to ~3 paragraphs or bullet items. Posted an inline suggestion to move the list into regular prose.

Other than the inline suggestions, the PR structure is correct: the heading-numbering fix is good, the Steps component is properly imported and used, and the new troubleshooting section follows the heading hierarchy (H2 → H3 → H4).

[ask-bonk]

Review complete for PR #31274.

• Labels applied: documentation, product:logs
• Posted 2 inline suggestions.

What the PR changes:
Adds a troubleshooting subsection to the Splunk Logpush destination page explaining why the Splunk Add-on for AWS cannot read from R2 (AWS STS credential validation rejects R2 credentials). Documents three supported alternatives: direct HEC via Logpush (with a Cloudflare Tunnel path for on-premises Splunk), Azure Blob Storage as an intermediary, and pulling from R2 with the AWS CLI. Also fixes a pre-existing heading-numbering bug (API section jumped from ### 1 to ### 3).

Issues flagged:

• HIGH — Step 5 in the tunnel procedure incorrectly describes the WAF custom rule as a way to "restrict access." The linked rule is a skip rule that allows Logpush requests to bypass WAF, so the phrasing is misleading. I posted a suggested fix.
• MEDIUM — The :::caution admonition lists 5 bullet items. The style guide recommends keeping admonitions to ~3 paragraphs or bullet items. I posted a suggestion to move the list into regular prose.

Everything else looks good: the Steps component is properly imported and used, heading hierarchy is correct, and all links are root-relative with trailing slashes.

github run

[github-actions]

Preview URL: https://f15f7402.preview.developers.cloudflare.com
Preview Branch URL: https://logs-splunk-r2-troubleshooting.preview.developers.cloudflare.com

Files with changes (up to 15)

Original Link	Updated Link
https://developers.cloudflare.com/logs/logpush/logpush-job/enable-destinations/splunk/	https://logs-splunk-r2-troubleshooting.preview.developers.cloudflare.com/logs/logpush/logpush-job/enable-destinations/splunk/