Splunk® Enterprise

Alerting Manual

Download manual as PDF

Download topic as PDF

Use a webhook alert action

Webhooks allow you to define custom callbacks on a particular web resource. For instance, you can set up a webhook to make an alert message pop up in a chat room or post a notification on a web page. When an alert triggers, the webhook makes an HTTP POST request on the URL. The webhook passes JSON formatted information about the alert in the body of the POST request.

Webhook data payload

The webhook POST request's JSON data payload includes the following details.

  • Search ID or SID for the saved search that triggered the alert
  • Link to search results
  • Search owner and app
  • First result row from the triggering search results


Example

{

	“result”: {
		“sourcetype” : “mongod”,
		“count” : “8”
	},
	“sid” : “scheduler_admin_search_W2_at_14232356_132”,
	“results_link” : “http://web.example.local:8000/app/search/@go?sid=scheduler_admin_search_W2_at_14232356_132”,
	“search_name” : null,
	“owner” : “admin”,
	“app” : search”
}

Depending on the webhook scenario, you can configure data payload handling on the resource receiving the POST.

Configure a webhook alert action

Set up a webhook when selecting alert actions for an alert.

  1. You can configure the webhook action when creating a new alert or editing an existing alert's actions. Follow one of the options below.
    Option Steps
    Create a new alert From the Search page in the Search and Reporting app, select Save As > Alert. Enter alert details and configure triggering and throttling as needed.
    Edit an existing alert From the Alerts page in the Search and Reporting app, select Edit>Edit actions for an existing alert.
  2. From the Add Actions menu, select Webhook.
  3. Type a URL for the webhook.
  4. Click Save.
PREVIOUS
Use tokens in email notifications
  NEXT
Log events

This documentation applies to the following versions of Splunk® Enterprise: 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 7.0.0


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters