Configure webhook allow list using Splunk Web
The webhook allow list is a list of URL endpoints to which webhook alert actions in Splunk Cloud Platform are permitted to send HTTP POST requests. Before a triggered alert can send a request to a specified webhook URL, Splunk Cloud Platform checks to ensure that the URL is on the allow list. You can add URLs to the allow list using the webhook allow list page in Splunk Web.
For more information on webhook alert actions, see Use a webhook alert action in the Alerting Manual.
Requirements
To configure the webhook allow list using Splunk Web, you must have:
- Splunk Cloud Platform version 8.2.2203 or higher.
- The
sc_admin
role. - The
edit_webhook_allow_list
capability.sc_admin
has this capability by default.
Add or remove URL endpoints from the webhook allow list
The webhook allow list page lets you add or remove target URL endpoints for webhook alert actions. You can add or remove multiple URL endpoints in a single page update. You must click save for any changes that you make to the page to propagate through the system.
Specify URLs using restrictive regular expressions
Splunk Cloud Platform does a regular expression match against URLs in the allow list. If there is a string match, then an alert (HTTP POST request) is sent to the specified webhook URL. When adding a URL to the webhook allow list, make sure to define the URL as completely as possible to achieve the most restrictive match. For example, the following URLs appear in order from most restrictive to least restrictive:
- https///splunk.m.pipedream.net
- pipedream.net
- pipe
If you send an alert to http://orange.pipedream.net
, it will be restricted (not match) in the first case. But it will not be restricted in the second case, since the regular expression pipedream.net
matches.
Similarly if you send an alert to http://mywebsite.pipeline.com
, it will be restricted in the first and second case. But it will not be restricted in the third case, since the regular expression pipe
matches. Hence, it is best to use the first URL for a more restrictive policy.
In most cases, it is best to use https://
as the starting string of the URL.
Add URL endpoints to the webhook allow list
To add a URL endpoint to the webhook allow list using Splunk Web:
- In Splunk Web, click Settings > Server settings > Webhook allow list.
- Enter a name for the endpoint. The name is just a label for the corresponding URL. You cannot use the name field in the search and reporting app to send an alert .
- Specify the endpoint URL value. See Specify URLs using restrictive regular expressions.
- Click Save
This saves all changes to the webhook allow list page since the last page update, including any URLs that you have added or removed.
Remove URL endpoints from the webhook allow list
- In Splunk Web, click Settings > Server settings > Webhook allow list.
- Click X to delete the URL endpoint.
- Click Save.
This saves all changes to the webhook allow list page since the last page update, including any URLs that you have added or removed.
Check alert failures due to URL not in allow list
Upon upgrade to version 8.2.2203, Splunk Cloud Platform automatically adds all URLs currently associated with a webhook alert action to the webhook allow list. However, after upgrade to 8.2.2203 or higher, you must manually add any URL associated with a webhook alert action to the webhook allow list, or that alert will fail.
To see which webhook alerts will fail because the webhook URL is missing from the allow list, run the following search:
index="_internal" source=*splunkd.log "did not match an entry" URL=* | stats values(URL) by sid
Configure Dashboards Trusted Domains List | Manage HTTP Event Collector (HEC) tokens in Splunk Cloud Platform |
This documentation applies to the following versions of Splunk Cloud Platform™: 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release), 9.3.2408
Feedback submitted, thanks!