diff --git a/plugins/out_splunk/splunk.c b/plugins/out_splunk/splunk.c
index c392b83687a..4ec93aff477 100644
--- a/plugins/out_splunk/splunk.c
+++ b/plugins/out_splunk/splunk.c
@@ -400,7 +400,11 @@ static flb_sds_t get_metadata_auth_header(struct flb_splunk *ctx)
     flb_sds_t auth_header = NULL;
 
     pthread_mutex_lock(&ctx->mutex_hec_token);
-    auth_header = flb_sds_create(ctx->metadata_auth_header);
+
+    if (ctx->metadata_auth_header) {
+        auth_header = flb_sds_create(ctx->metadata_auth_header);
+    }
+
     pthread_mutex_unlock(&ctx->mutex_hec_token);
 
     return auth_header;
@@ -717,7 +721,13 @@ static void cb_splunk_flush(struct flb_event_chunk *event_chunk,
     /* HTTP Client */
     flb_http_add_header(c, "User-Agent", 10, "Fluent-Bit", 10);
 
-    /* Try to use http_user and http_passwd if not, fallback to auth_header */
+    /*
+     * Authentication mechanism & order:
+     *
+     * 1. use the configure `http_user` and `http_passwd`
+     * 2. use metadata 'hec_token', if the records are generated by Splunk input plugin, this will be set.
+     * 3. use the configured `splunk_token` (if set).
+     */
     if (ctx->http_user && ctx->http_passwd) {
         flb_http_basic_auth(c, ctx->http_user, ctx->http_passwd);
     }
diff --git a/plugins/out_splunk/splunk_conf.c b/plugins/out_splunk/splunk_conf.c
index d15d2edc0ec..43ccdc1879c 100644
--- a/plugins/out_splunk/splunk_conf.c
+++ b/plugins/out_splunk/splunk_conf.c
@@ -241,6 +241,7 @@ struct flb_splunk *flb_splunk_conf_create(struct flb_output_instance *ins,
     }
 
     ctx->metadata_auth_header = NULL;
+
     /* No http_user is set, fallback to splunk_token, if splunk_token is unset, fail. */
     if (!ctx->http_user) {
         /* Splunk Auth Token */