Splunk® IT Service Intelligence

Event Analytics Manual

Integrate ITSI with a webhook

Integrate a webhook with IT Service Intelligence (ITSI) so you can send episode data to a webhook URL from ITSI using episode actions, or through automated action rules in notable event aggregation policies.

Set up the integration

Perform the following steps to set up a connection with a webhook.

Prerequisites

Requirement Description
Webhook URL You must have a specific webhook URL to send data.
ITSI role You must have the admin role to set up the integration.
Authentication details You must have a username and password to set up basic authentication. You must also have a bearer token to set up bearer authentication.

Configure a new webhook

  1. From the ITSI navigation menu, select Configuration then Event Management then Webhooks.
  2. Select Create webhook.
  3. Select an authentication type:
    • No authentication
    • Basic authentication: use a username and password to authenticate the webhook
    • Bearer token: specify a specific token (typically a text string) to use to authenticate the webhook
  4. Add a name for your webhook.
  5. (Optional) Add a webhook description.
  6. Add the URL on which episode data will be sent.
  7. If you selected Basic authentication as your authentication type, input a username and password. If you selected Bearer token as your authentication type, input a bearer token.
  8. (Optional) Add headers for the URL.
  9. (Optional) Select Verify certificate if the webhook's SSL certificate is verified.
  10. Select Save.

Sample webhook payload

The data will be sent as a JSON string to the webhook URL.

"{\"index\": \"itsi_grouped_alerts\", \"itsi_bdt_event\": \"\", \"itsi_dummy_closing_flag\": \"\", \"itsi_group_id\": \"bb9be1b4-f15d-4d0f-bb00-15efb36ed40c\", \"source\": \"test_cs\", \"sourcetype\": \"itsi_notable:group\", \"_time\": \"1713866345.477\", \"_raw\": \"{\\\"referer\\\":\\\"-\\\",\\\"drilldown_search_earliest_offset\\\":\\\"-300\\\",\\\"event_identifier_fields\\\":\\\"source\\\",\\\"orig_raw\\\":\\\"10.56.129.122 - admin [23/Apr/2024:09:58:59.910 +0000] \\\\\\\"GET /en-US/splunkd/__raw/servicesNS/admin/itsi/search/v2/jobs/1713866339.937?output_mode=json&_=1713866315556 HTTP/1.1\\\\\\\" 200 2840 \\\\\\\"-\\\\\\\" \\\\\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36\\\\\\\" - 10c80b2b67d6aa23084e6e934e11bb5c 2ms\\\",\\\"ident\\\":\\\"-\\\",\\\"itsi_group_count\\\":\\\"4\\\",\\\"rid\\\":\\\"0\\\",\\\"uri_path\\\":\\\"/en-US/splunkd/__raw/servicesNS/admin/itsi/search/v2/jobs/1713866339.937\\\",\\\"itsi_instruction\\\":\\\"%itsi_instruction%\\\",\\\"itsi_is_first_event\\\":\\\"false\\\",\\\"clientip\\\":\\\"10.56.129.122\\\",\\\"search_name\\\":\\\"test_cs\\\",\\\"itsi_group_description\\\":\\\"Applies to events that do not meet the criteria of any other active policy.\\\",\\\"orig_time\\\":\\\"1713866345.4765794\\\",\\\"orig_rid\\\":\\\"0\\\",\\\"mod_time\\\":\\\"1713866345.4765794\\\",\\\"method\\\":\\\"GET\\\",\\\"itsi_group_severity\\\":\\\"1\\\",\\\"search_type\\\":\\\"basic\\\",\\\"version\\\":\\\"HTTP/1.1\\\",\\\"req_time\\\":\\\"23/Apr/2024:09:58:59.910 +0000\\\",\\\"itsi_service_ids\\\":\\\"null\\\",\\\"drilldown_search_latest_offset\\\":\\\"300\\\",\\\"orig_index\\\":\\\"_internal\\\",\\\"itsi_group_id\\\":\\\"bb9be1b4-f15d-4d0f-bb00-15efb36ed40c\\\",\\\"uri_query\\\":\\\"output_mode=json&_=1713866315556\\\",\\\"itsi_group_instruction\\\":\\\"null\\\",\\\"itsi_is_last_event\\\":\\\"false\\\",\\\"itsi_split_by_hash\\\":\\\"source:test_cs:\\\",\\\"status\\\":\\\"1\\\",\\\"itsi_first_event_time\\\":\\\"1713866164.889\\\",\\\"other\\\":\\\"- 10c80b2b67d6aa23084e6e934e11bb5c 2ms\\\",\\\"is_use_event_time\\\":\\\"0\\\",\\\"useragent\\\":\\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36\\\",\\\"title\\\":\\\"title_1\\\",\\\"itsi_earliest_event_time\\\":\\\"1713866164.89\\\",\\\"file\\\":\\\"1713866339.937\\\",\\\"itsi_parent_group_id\\\":\\\"c8891186-3819-489b-b371-d4a215b900ef\\\",\\\"event_field_max_length\\\":\\\"10000\\\",\\\"root\\\":\\\"en-US\\\",\\\"orig_sourcetype\\\":\\\"splunkd_ui_access\\\",\\\"itsi_group_title\\\":\\\"title_1\\\",\\\"severity\\\":\\\"1\\\",\\\"owner\\\":\\\"unassigned\\\",\\\"itsi_action_rule_keys\\\":\\\"null\\\",\\\"spent\\\":\\\"2\\\",\\\"itsi_group_assignee\\\":\\\"unassigned\\\",\\\"uri\\\":\\\"/en-US/splunkd/__raw/servicesNS/admin/itsi/search/v2/jobs/1713866339.937?output_mode=json&_=1713866315556\\\",\\\"itsi_group_status\\\":\\\"1\\\",\\\"itsi_first_event_id\\\":\\\"b30343d0-0157-11ef-bad6-064456e894d9\\\",\\\"event_id\\\":\\\"1ea6b0cc-0158-11ef-9ad6-064456e894d9\\\",\\\"itsi_policy_id\\\":\\\"itsi_default_policy\\\",\\\"bytes\\\":\\\"2840\\\",\\\"orig_status\\\":\\\"200\\\",\\\"itsi_last_event_time\\\":\\\"1713866345.477\\\",\\\"output_mode\\\":\\\"json\\\",\\\"event_identifier_hash\\\":\\\"9dffbe7047f146d830fec82a5ebf013f19686c72432c70819d82995d2a2a47da\\\",\\\"event_identifier_string\\\":\\\"/opt/splunk/var/log/splunk/splunkd_ui_access.log\\\",\\\"user\\\":\\\"admin\\\",\\\"orig_sid\\\":\\\"scheduler__admin__itsi__RMD5d2ff4c2e3a811a1d_at_1713866340_259\\\"}\", \"host\": \"so1\", \"_sourcetype\": \"itsi_notable:group\", \"_cd\": \"0:290\", \"_bkt\": \"itsi_grouped_alerts~0~C3737AC5-933C-42A4-95A7-4A337234B648\", \"linecount\": \"1\", \"splunk_server\": \"so1\", \"splunk_server_group\": \"\", \"_si\": [\"so1\", \"itsi_grouped_alerts\"], \"_indextime\": \"1713866406\", \"_subsecond\": \".477\", \"drilldown_search_earliest_offset\": \"-300\", \"event_identifier_fields\": \"source\", \"orig_raw\": \"10.56.129.122 - admin [23/Apr/2024:09:58:59.910 +0000] \\\"GET /en-US/splunkd/__raw/servicesNS/admin/itsi/search/v2/jobs/1713866339.937?output_mode=json&_=1713866315556 HTTP/1.1\\\" 200 2840 \\\"-\\\" \\\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36\\\" - 10c80b2b67d6aa23084e6e934e11bb5c 2ms\", \"itsi_group_count\": \"4\", \"orig_owner\": \"\", \"rid\": \"0\", \"tid\": \"\", \"itsi_instruction\": \"%itsi_instruction%\", \"itsi_is_first_event\": \"false\", \"search_name\": \"test_cs\", \"itsi_group_description\": \"Applies to events that do not meet the criteria of any other active policy.\", \"orig_time\": \"1713866345.4765794\", \"orig_rid\": \"0\", \"mod_time\": \"1713866345.4765794\", \"method\": \"GET\", \"log_level\": \"\", \"itsi_group_severity\": \"1\", \"search_type\": \"basic\", \"itsi_service_ids\": \"null\", \"drilldown_search_latest_offset\": \"300\", \"start_time\": \"1713866164.889\", \"orig_index\": \"_internal\", \"itsi_group_instruction\": \"null\", \"itsi_is_last_event\": \"false\", \"itsi_split_by_hash\": \"source:test_cs:\", \"metric_info_numberOfObjects\": \"\", \"status\": \"1\", \"itsi_first_event_time\": \"1713866164.889\", \"is_use_event_time\": \"0\", \"title\": \"title_1\", \"itsi_earliest_event_time\": \"1713866164.89\", \"itsi_parent_group_id\": \"c8891186-3819-489b-b371-d4a215b900ef\", \"event_field_max_length\": \"10000\", \"sub_component\": \"\", \"orig_sourcetype\": \"splunkd_ui_access\", \"transaction_time\": \"\", \"itsi_group_title\": \"title_1\", \"severity\": \"1\", \"owner\": \"unassigned\", \"itsi_action_rule_keys\": \"null\", \"end_time\": \"\", \"itsi_group_assignee\": \"unassigned\", \"itsi_group_status\": \"1\", \"component\": \"\", \"itsi_first_event_id\": \"b30343d0-0157-11ef-bad6-064456e894d9\", \"event_id\": \"1ea6b0cc-0158-11ef-9ad6-064456e894d9\", \"itsi_policy_id\": \"itsi_default_policy\", \"itsi_last_event_time\": \"1713866345.477\", \"event_identifier_hash\": \"9dffbe7047f146d830fec82a5ebf013f19686c72432c70819d82995d2a2a47da\", \"event_identifier_string\": \"/opt/splunk/var/log/splunk/splunkd_ui_access.log\", \"orig_sid\": \"scheduler__admin__itsi__RMD5d2ff4c2e3a811a1d_at_1713866340_259\", \"referer\": \"-\", \"ident\": \"-\", \"uri_path\": \"/en-US/splunkd/__raw/servicesNS/admin/itsi/search/v2/jobs/1713866339.937\", \"clientip\": \"10.56.129.122\", \"punct\": \"{\\\"\\\":\\\"-\\\",\\\"\\\":\\\"-\\\",\\\"\\\":\\\"\\\",\\\"\\\":\\\"..._-__[//:::._+]_\\\\\\\"_/-//\", \"version\": \"HTTP/1.1\", \"req_time\": \"23/Apr/2024:09:58:59.910 +0000\", \"uri_query\": \"output_mode=json&_=1713866315556\", \"other\": \"- 10c80b2b67d6aa23084e6e934e11bb5c 2ms\", \"useragent\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36\", \"file\": \"1713866339.937\", \"root\": \"en-US\", \"spent\": \"2\", \"uri\": \"/en-US/splunkd/__raw/servicesNS/admin/itsi/search/v2/jobs/1713866339.937?output_mode=json&_=1713866315556\", \"bytes\": \"2840\", \"orig_status\": \"200\", \"output_mode\": \"json\", \"user\": \"admin\", \"limit\": \"\", \"query\": \"\", \"skip\": \"\", \"eventtype\": \"\", \"_eventtype_color\": \"\", \"tag\": \"\", \"tag::eventtype\": \"\", \"_serial\": \"0\", \"instruction\": \"null\", \"description\": \"\", \"last_time\": \"1713866345.477\", \"is_active\": \"1\", \"event_count\": \"4\", \"policy_id\": \"itsi_default_policy\", \"_itsi_is_group_broken\": \"0\"}"

Test the webhook integration

To run your new webhook, follow these instructions.

  1. Go to the Alerts and Episodes page.
  2. Select an episode.
  3. Select the Actions dropdown menu, then select Webhook.

Automatically send episode data to a webhook

To configure aggregation policy action rules to send episode data to a webhook, follow these steps.

Webhook rule2.png

  1. Select Configuration then Event Management then Notable Event Aggregation Policies.
  2. Open the aggregation policy you want to integrate with the webhook, or select Create Notable Event Aggregation Policy.
  3. Select the Action Rules tab.
  4. Select Add Rule and configure the webhook to forward the episode data.
  5. Select Configure and provide a name for the webhook, and validate the webhook URL.
Last modified on 10 May, 2024
Integrate ITSI with PagerDuty   Integrate ITSI with Splunk On-Call (VictorOps)

This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.19.0, 4.19.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters