I’ve integrated pager duty and Splunk, and I’m successfully seeing alerts from Splunk in pager duty. However, when I go to an incident detail and click on “view in splunk,” I get an error saying “The site can’t be reached.”
I’ve noticed the hostname is wrong. It’s using splunk:8000 when it should be using my_splunk_hostname:8000.
Any ideas how I can configure the link? I've already asked PagerDuty support, but they suggested I ask here too.
You need to update the hostname setting under alert_actions.conf (If you don't have a local alert_actions.conf, create one and add the stanza & hostname setting below)
Should look like this:
[default]
hostname=your_hostname_here
Here is the link to the relevant docs
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Alertactionsconf?utm_source=answers&utm_med...
My guess is that the alert action may not be sending the client_url string in the alert payload that Pagerduty need to build that link?
Splunk:8000 sounds like a default entry, perhaps check the script that the pager duty app has in its bin folder to see how it constructs the call to the pagerduty url? ( i will check in my lab and follow up)
https://v2.developer.pagerduty.com/docs/trigger-events
I believe pagerduty provides the option to view he raw payload, can you post an example?
Splunks alert action args contain a results url that should work here. Is your Splunk instance available to the internet?