topic Re: Using webhook alert to send to telegram in Splunk Cloud Platform

Using webhook alert to send to telegram

Raees — Thu, 06 Mar 2025 09:15:46 GMT

I am trying to send an alert to Telegram from Splunk using the default webhooks as the Telegram alert action is no longer supported (https://splunkbase.splunk.com/app/4917).

Has anyone managed to get it working, there is no documentation on the Splunk site on using the webhook.

I am using the string below that works in a browser, but not in Splunk, so not sure how to format the string.

https://api.telegram.org/bot#########/sendMessage?chat_id=-########&text=test

Thanks

Re: Using webhook alert to send to telegram

kiran_panchavat — Thu, 06 Mar 2025 09:30:34 GMT

@Raees

The URL you provided (https://api.telegram.org/bot#########/sendMessage?chat_id=-########&text=test ) works in a browser because it’s a simple GET request. However, Splunk’s webhook alert action sends a POST request by default, and it expects a payload rather than just a URL with query parameters.

Re: Using webhook alert to send to telegram

kiran_panchavat — Thu, 06 Mar 2025 09:35:11 GMT

@Raees

Please check this

https://docs.splunk.com/Documentation/Splunk/9.4.0/Alert/Webhooks

Re: Using webhook alert to send to telegram

kiran_panchavat — Thu, 06 Mar 2025 09:37:23 GMT

@Raees

Configure the webhook with the following details:

URL: https://api.telegram.org/bot<YourBotToken>/sendMessage
HTTP Method: POST

Request Payload:

{
"chat_id": "<YourChatID>",
"text": "Alert: $result.message$"
}

Trigger Conditions: Set the conditions under which the alert should trigger.

Test the Webhook: Save the alert and test it to ensure that messages are being sent to your Telegram chat.

Here’s an example of how the webhook URL and payload might look:


{
"url": "https://api.telegram.org/bot123456789:ABCdefGHIjklMNOpqrSTUvwXYZ/sendMessage",
"method": "POST",
"payload": {
"chat_id": "-987654321",
"text": "Alert: $result.message$"
}
}

Make sure to replace <YourBotToken> and <YourChatID> with your actual bot token and chat ID.

Re: Using webhook alert to send to telegram

Raees — Thu, 06 Mar 2025 09:39:58 GMT

@kiran_panchavat Thank you, this helps, will look up how to send a POST request to Telegram

Re: Using webhook alert to send to telegram

kiran_panchavat — Thu, 06 Mar 2025 09:45:16 GMT

@Raees

Sure, Please check.

Splunk’s webhook alert action sends a POST request to a specified URL.
The payload is typically in JSON format, and you can customize it using tokens (e.g., $result.field$) to include alert details.
Telegram’s Bot API expects either a GET request with query parameters or a POST request with a JSON body.

Get Your Telegram Bot Token and Chat ID

You already seem to have these:

Bot Token: ######### (replace with your actual token from BotFather).
Chat ID: -######## (the ID of the group or chat, including the - for groups).

Set Up the Webhook in Splunk

In Splunk, go to Settings > Alert Actions > Webhook (or configure it as part of an alert).

URL: Use the Telegram API endpoint without query parameters

https://api.telegram.org/bot<your-bot-token>/sendMessage

Replace <your-bot-token> with your actual bot token (e.g., https://api.telegram.org/bot123456:ABC-DEF1234ghIkl-zyx57W2v1u123ew11/sendMessage).

Custom Payload: Splunk allows you to define a JSON payload. Telegram expects chat_id and text as parameters. Here’s an example payload:

{
  "chat_id": "-########",
  "text": "Alert from Splunk: $result.message$"
}

Replace -######## with your actual chat ID.
$result.message$ is a placeholder for a field from your search results (adjust based on your data; common tokens include $result.sourcetype$, $result.host$, or $trigger_reason$).

Test the Webhook

Create a test alert in Splunk:
- Go to Search, run a simple query (e.g., index=_internal | head 1).
- Save it as an alert, set the trigger condition (e.g., number of results > 0), and choose the Webhook action.
- Enter the URL and payload as described above.

Trigger the alert and check your Telegram chat for the message.

NOTE:-

Ensure the payload is valid JSON and matches Telegram’s API expectations (see https://core.telegram.org/bots/api#sendmessage

If $result.message$ doesn’t work, replace it with a static string (e.g., "text": "Test alert") to verify the setup, then adjust the token.

Example Configuration

Webhook URL: https://api.telegram.org/bot123456:ABC-DEF1234ghIkl-zyx57W2v1u123ew11/sendMessage

Payload:

{
  "chat_id": "-123456789",
  "text": "Splunk Alert: $result.host$ triggered an event at $trigger_time$"
}

Re: Using webhook alert to send to telegram

livehybrid — Thu, 06 Mar 2025 09:45:29 GMT

Hi @Raees

Unfortunately the Inbuilt webhook POST sends a payload as below, which isnt possible to change the format of.

{ "result": { "sourcetype" : "mongod", "count" : "8" }, "sid" : "scheduler_admin_search_W2_at_14232356_132", "results_link" : "http://web.example.local:8000/app/search/@go?sid=scheduler_admin_search_W2_at_14232356_132", "search_name" : null, "owner" : "admin", "app" : "search" }

I think this should be achievable with the https://splunkbase.splunk.com/app/4146 app - although possibly not as an alert action, but could be achieved by adding the necessary commands on the end of your SPL.

I will see if I can work together an example

PLease let me know if this helped by adding karma and/or accepting as an answer if this resolves the issue for you.

Re: Using webhook alert to send to telegram

Raees — Thu, 06 Mar 2025 09:54:15 GMT

Thanks for the POST details, I don't see how all the info is supposed to be entered as there is only a field for the URL

Re: Using webhook alert to send to telegram

livehybrid — Thu, 06 Mar 2025 10:36:36 GMT

Hi @Raees

As previously mentioned, the Splunk inbuilt webhooks use a POST with a pretty non-configurable output.

You can use https://splunkbase.splunk.com/app/7450 which allows much more customisation.

Here is a working example.

I installed the app and created an alert action as below:

Put url as: https://api.telegram.org/bot<yourToken>/sendMessage

Payload:

{ "chat_id":"<yourChatID>", "text": "$result.msg$" }

This will send the value of the "msg" field from Splunk search, obviously you can update this and use more fields if required too.

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will