Splunk® Enterprise

Alerting Manual

Splunk Enterprise versions higher than version 9.4.2 are documented on our new documentation portal only. To get started, see the Splunk Enterprise page on help.splunk.com and the Splunk Enterprise 9.4.3 release notes. For information about how version selection works in the new portal, see Version selection on the About This Site page.

Use a webhook alert action

Webhooks allow you to define custom callbacks on a particular web resource. For instance, you can set up a webhook to make an alert message pop up in a chat room or post a notification on a web page. When an alert triggers, the webhook makes an HTTP POST request on the URL. The webhook passes JSON formatted information about the alert in the body of the POST request.

When you set up a webhook alert, you must get the hook URL from the target source. For example, if you want to post a webhook alert to a Slack room, you must follow Slack's webhook instructions to get the correct URL to use. You can test that webhooks are triggering by using a webhooks testing site such as https://webhook.site.

In Splunk Cloud Platform version 8.2203 and higher, before a triggered alert can send a request to a specified URL, you must add the URL to the webhook allow list. For more information, see Configure webhook allow list using Splunk Web in the Splunk Cloud Platform Admin Manual.

Webhook data payload

The webhook POST request's JSON data payload includes the following details.

  • Search ID or SID for the saved search that triggered the alert
  • Link to search results
  • Search owner and app
  • First result row from the triggering search results


Example 

{

	"result": {
		"sourcetype" : "mongod",
		"count" : "8"
	},
	"sid" : "scheduler_admin_search_W2_at_14232356_132",
	"results_link" : "http://web.example.local:8000/app/search/@go?sid=scheduler_admin_search_W2_at_14232356_132",
	"search_name" : null,
	"owner" : "admin",
	"app" : "search"
}

Depending on the webhook scenario, you can configure data payload handling on the resource receiving the POST.

Configure a webhook alert action

To set up a webhook alert action:

  1. You can configure the webhook action when creating a new alert or editing an existing alert's actions. Follow one of the options below.
    Option Steps
    Create a new alert From the Search page in the Search and Reporting app, select Save As > Alert. Enter alert details and configure triggering and throttling as needed.
    Edit an existing alert From the Alerts page in the Search and Reporting app, select Edit>Edit actions for an existing alert.
  2. From the Add Actions menu, select Webhook.
  3. Specify the webhook URL. The target URL must also be specified on the webhook allow list. For more information, see Configure webhook allow list using Splunk Web.
  4. Click Save.
Last modified on 18 October, 2024
Use tokens in email notifications   Output results to a CSV lookup

This documentation applies to the following versions of Splunk® Enterprise: 9.4.0, 9.4.1, 9.4.2

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters