Alerting

Can the webhook payload for an alert be configured?

strayhud
New Member

Is it possible to configure the webhook payload for an alert? I would like to send alerts to BigPanda which requires the payload to contain a specific set of tags in JSON format. There is a BigPanda app for on-prem versions of Splunk, but I'm trying to integrate the SaaS based version. I couldn't find an answer to this in the docs or any other questions on here.

Second question if its not possible to configure the payload - how can I call a script from the SaaS based instance of Splunk? When I choose this as an option it prompts for a path under $splunk_home, but not sure where that is in the SaaS version.

Thanks,
Steve

Labels (1)
0 Karma
1 Solution

starcher
SplunkTrust
SplunkTrust

You have to go through a support ticket to get support to install Splunk apps for you into a Splunk cloud instance.

View solution in original post

0 Karma

aymonfoa
Engager

I dont know if this is a bit overkill but you could write a python app to receive the wehook, and then recompose the json - I've been messing around with this today.  So you'd end up with a gateway - but a stateless one - here's some code - it's a spike, so dont take it too literally:

It creates an endpoint http://localhost:5000/splunk were you can take the use in splunk as a webhook target and take the original json payload and change its shape and post it to a discord channel (no cost etc.)

from asyncio.log import logger
from email import header
from urllib import response
import requests
import json
from loguru import logger
from flask import Flask, request, json

app = Flask(__name__)

def discord_message(url, message):
    headers = {
        "Accept": "application/json",
        "Content-Type": "application/json",
        "X-HTTP-Method-Override": "PUT"
    }
    data = {
     "content": message
    }
    payload = json.dumps(data)
    logger.info(f'Sending webhook message {message}')
    response = requests.post(url, headers=headers, data=payload)
    logger.info(f'{response}')


@app.route('/splunk',methods=['POST'])
def splunk():
    data = request.json
    logger.debug(data)
    discord_webhook = "https://discordapp.com/api/webhooks/SOME_WEBHOOK!!"
    message = (f'Attack detected see search: {data["results_link"]}')
    discord_message(discord_webhook, message)
    logger.debug(message)
    return data


def main():
  app.run(debug=True, host="0.0.0.0")


if __name__ == "__main__":
    main()

if there's a better way of doing this Id really be interested 🙂 ... hmm thinking about it an aws have some really interesting event bridge logic you could prob use and plumb it into a lambda

0 Karma

mobiuscraigr
New Member

Hi, can anyone answer the first original question of; is it possible to configure the Webhook JSON payload so that we can send our own payload and not just the default payload? Thank you. - - -CraigR

0 Karma

edikmkoyan
New Member

as @starcher said you need to check the splunkbase first and ask them to install the app if it is there. Splunkbase is a catalogue of cloud add-ons. If it is not there you need to fire another ticket, the application should go through the vetting process, and you will get a vetting report.

0 Karma

starcher
SplunkTrust
SplunkTrust

You have to go through a support ticket to get support to install Splunk apps for you into a Splunk cloud instance.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...