Splunk® Enterprise

Alerting Manual

Splunk Enterprise version 9.0 will no longer be supported as of June 14, 2024. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Use a webhook alert action

Webhooks allow you to define custom callbacks on a particular web resource. For instance, you can set up a webhook to make an alert message pop up in a chat room or post a notification on a web page. When an alert triggers, the webhook makes an HTTP POST request on the URL. The webhook passes JSON formatted information about the alert in the body of the POST request.

When you set up a webhook alert, you must get the hook URL from the target source. For example, if you want to post a webhook alert to a Slack room, you must follow Slack's webhook instructions to get the correct URL to use. You can test that webhooks are triggering by using a webhooks testing site such as https://webhook.site.

In Splunk Enterprise version 9.0 and higher, before a triggered alert can send a request to a specified URL, you must add the URL to the webhook allow list. For more information, see Configure webhook allow list.

Webhook data payload

The webhook POST request's JSON data payload includes the following details.

  • Search ID or SID for the saved search that triggered the alert
  • Link to search results
  • Search owner and app
  • First result row from the triggering search results

Example

{

	"result": {
		"sourcetype" : "mongod",
		"count" : "8"
	},
	"sid" : "scheduler_admin_search_W2_at_14232356_132",
	"results_link" : "http://web.example.local:8000/app/search/@go?sid=scheduler_admin_search_W2_at_14232356_132",
	"search_name" : null,
	"owner" : "admin",
	"app" : "search"
}

Depending on the webhook scenario, you can configure data payload handling on the resource receiving the POST.

Configure a webhook alert action

Set up a webhook when selecting alert actions for an alert.

  1. Follow one of these options to configure the webhook action when you create a new alert or edit an existing alert:
    Option Steps
    Create a new alert From the Search page in the Search and Reporting app, select Save As > Alert. Enter alert details and configure triggering and throttling as needed.
    Edit an existing alert From the Alerts page in the Search and Reporting app, select Edit>Edit actions for an existing alert.
  2. In the Add Actions menu, select Webhook.
  3. Type a URL for the webhook.
  4. Click Save.
Last modified on 17 July, 2023
Use tokens in email notifications   Output results to a CSV lookup

This documentation applies to the following versions of Splunk® Enterprise: 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters