Send alert notifications to Splunk platform using Splunk Observability Cloud 🔗
You can configure Splunk Observability Cloud to automatically send alert notifications to Splunk platform when a condition triggers the detector and when a clear condition clears the alert.
注釈
To add Splunk platform as a detector alert recipient, you must have administrator access. To get this access, an existing administrator adds it to your user profile. See Splunk Observability Cloudでユーザーを作成および管理する for more information.
To send Splunk Observability Cloud alert notifications to Splunk platform, complete the following configuration tasks:
Step 1: Create a Splunk platform integration in Splunk Observability Cloud
Step 2: Add a Splunk platform integration as a detector alert recipient in Observability Cloud
Step 1: Create a Splunk platform integration in Splunk Observability Cloud 🔗
Splunk Observability Cloudにログインします。
Open the Splunk platform guided setup . Alternatively, you can navigate to the guided setup on your own:
ナビゲーションメニューで、
を選択します。Go to the Available integrations tab, or select Add Integration in the Deployed integrations tab.
インテグレーションのフィルターメニューで、All を選択します。
In the Search field, search for Splunk platform, and select it.
新規インテグレーション を選択すると、設定オプションが表示されます。
On the Summary page, select Next.
On the Configure connection page, enter information into the following fields:
フィールド
説明
Name
Give your integration a unique and descriptive name. For information about the downstream use of this name, see About naming your integrations.
URL
Enter the HTTP Event Collector (HEC) URI for your Splunk platform instance. To learn more, see the Send data to HTTP Event Collector section in the Documentation for Splunk Cloud Platform.
HEC token
Enter the HTTP Event Collector token that allows access to your Splunk platform instance. To learn more, see Set up and use HTTP Event Collector in Splunk Web .
注釈
Splunk Observability Cloud doesn’t support HEC indexer acknowledgement. To use the Splunk platform integration, don’t activate indexer acknowledgement for HEC token in your Splunk Enterprise instance.
Next を選択します。
On the Customize message page, you see the default template for a Splunk platform integration. You can customize your payload to make sure responders have the context needed to resolve the issues. To learn more, see Supported variables for Splunk platform integration custom payload.
Next を選択します。
Review your integration and select Save.
Step 2: Add a Splunk platform integration as a detector alert recipient in Observability Cloud 🔗
To add a Splunk platform integration as a detector alert recipient in Splunk Observability Cloud:
Create or edit a detector that you want to configure to send alert notifications using your Splunk platform integration.
ディテクターに関する作業の詳細は、アラートをトリガーするディテクターを作成する および 「ディテクター」メニューを使用してアラートの受信登録をする を参照してください。
アラート受信者 のステップで、受信者の追加 を選択します。
Select Splunk platform and then select the name of the Splunk platform integration you want to use to send alert notifications. This is the integration name you created in Step 1: Create a Splunk platform integration in Splunk Observability Cloud.
ディテクターをアクティブ化し、保存します。
Splunk Observability Cloud sends an alert notification to Splunk platform when the detector triggers or clears an alert.
Supported variables for Splunk platform integration custom payload 🔗
The following table shows the full list of variables for customization.
注釈
Unless otherwise indicated in the description, all variables are of type string.
When a variable is optional, it means it’s not always available. If you use an optional variable that isn’t available in the present conditions to construct your payload, Handlebars converts it to an empty string.
Variable |
説明 |
---|---|
|
Name of the detector. |
|
URL of the detector, which includes a parameter to select this specific incident. |
|
ID of the detector. |
|
(Optional) Description of the rule for the detector. |
|
A map of the dimensions in the input MTS. |
|
(Optional) URL of the alert preview image. |
|
Unique identifier for this alert notification. |
|
Unique identifier for the version of the detector that sent the notification. |
|
Name of the detector rule that triggered the alert. |
|
Severity level of the rule determined by Splunk Observability Cloud. Use this variable in your custom payload. |
|
Runbook URL specified in this rule. |
|
Tip specified in this rule. |
|
Notification title for this rule. |
|
Notification message for this rule. |
|
(Optional) Criteria for metric data and detection criteria for the detector rule, written in SignalFlow format. |
|
(Optional) Clear metric data and detection criteria in this rule, in SignalFlow format. |
|
Status of the incident, kept for backwards compatibility. Use
|
|
New variable for status of the incident. Use in place of
|
|
Time the event occurred, in ISO 8601 format. |
|
Map of the inputs involved in this rule. This variable is of type array. For more information, see inputs 配列. |
|
The schema version for this event. The value is always set to |
|
The organization ID of the Splunk Observability Cloud org where the alert is coming from. |
|
Name of the metric that triggered the alert. |
|
The source of the alert, as defined by the following dimensions. The first dimension value available is set as the source of the alert.
|
inputs
配列 🔗
Each object in the inputs
array is named after the program variable it’s bound to. If an object isn’t bound to a program variable, it uses a name like _S0
, _S1
, and so on.
各入力オブジェクトには以下の要素が含まれます:
要素 |
説明 |
---|---|
|
(Optional) Map of the dimensions of the input signal. This element might be empty if there are no dimensions; for example, if the input was a static value and not a comparison against scalar values. |
|
Value of the input when the alert triggered or when it cleared. |
|
(オプション)これは、入力を表すSignalFlowプログラムのフラグメントです。一部のディテクター、あるいは静的な匿名の入力では、この要素は存在しない可能性があります。 |
Helper functions 🔗
Apart from using template variables to customize your payload, you can also use the following helper functions to make sure the right value is set on the outgoing alert.
Function |
説明 |
Examples |
---|---|---|
|
Returns the first value that is not empty. You can use this function to specify the desired order of dimensions for the |
{{{coalesce dimensions.host dimensions.aws_arn ‘No ID Found!’}}}
This example sets
dimensions.host on the alert if it is present, dimensions.aws_arn as a second option, and the string “No ID Found!” if neither host nor AWS ID is present. |
|
Returns
|
{{{severityDecoder ok='ok' Major='not_ok' default='empty'}}} This example overrides the default return values and customizes them.
|
|
Escapes quote and newline characters in a string. |
|
|
Adds text to a payload only if the value specified is not empty map. This function only works with the |
This example only prints if dimensions is not empty: {{#notEmpty dimensions}}
{{/notEmpty}} |
|
Converts a string to a raw JSON value. Use this function to turn text from a detector into a JSON payload that can be evaluated in third-party integrations. |
|
|
Returns a new character sequence that is a subsequence of this sequence. The subsequence starts with the character at the specified index and ends with the character at the second to last index. |
{{substring var 1}} {{substring var 1 3}} |
|
Truncates a string if it is longer than the specified number of characters. Minimum abbreviation width is 4. |
|
|
Replaces each substring of this string that matches the literal target sequence with the specified literal replacement sequence. |
|
|
Checks if two elements are equal. |
{{#eq a b}}yes{{else}}no{{/eq}} {{#eq a 2}}yes{{else}}no{{/eq}} |