Splunk® Enterprise

Alerting Manual

Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Use a webhook alert action

What is a webhook?

Webhooks allow you to define custom callbacks on a particular web resource. For instance, you can set up a webhook to make an alert message pop up in a chat room or post a notification on a web page.

About webhook alert actions

You can create a webhook action for instant alert notifications at a particular URL. When an alert is triggered, the webhook will make an HTTP POST request on the URL. The webhook passes JSON formatted information about the alert in the body of the POST request.

A webhook starts with an alert. You can define conditions for triggering the webhook alert action.

As an example, imagine that you have an alert set up to trigger whenever a new customer signs up on your company's website. Let's also imagine that you have a web-based chat client at work where employees can exchange quick updates or ask questions.

A webhook can help you use your chat client as a real time information hub for customer sign-ups. You can set up a webhook with the chat client's URL. Each time the webhook's alert triggers, the webhook makes an HTTP POST request to that URL. The POST request carries a data payload to deliver to the URL.

For a webhook, the POST request's JSON data payload includes:

  • Search ID or SID for the saved search that triggered the alert
  • Search owner and app
  • First result row from the triggering search results

Here is an example of what the JSON information might look like: 6.3.0 webhook JSON request example.png

In this example, the SID is "scheduler__admin__search__W2_at_1427942640_178". The owner role is "admin", and this alert comes from the Search and Reporting app.

The data payload may contain more information from the alert. You can configure the way your web resource handles the data payload.

Continuing with our example, your chat client can use the POST request data to show a notification. Using a webhook, you can monitor customer sign-ups in real time.

Set up a webhook

You can set up a webhook starting when you save a search as an alert.

  • In the Save As Alert dialog, find the Trigger Actions menu. Click +Add Actions. 6.3.0 Webhook alert setup part1.png


  • Select Webhook.
    6.3.0 trigger actions dropdown.png


  • Input a URL for the webhook.
    6.3.0 setup webhook alert specify url.png


  • Click Save.
PREVIOUS
Email notification action 		  NEXT
List instances of triggered alerts

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters