https://community.splunk.com/t5/Alerting/How-to-get-Splunk-Webhook-Alert-actions-to-send-entire-search/m-p/226074#M4139 <P>When setting up your own Custom Alert Action, the payload should have an entry to the search results directly:</P> <PRE><CODE>&lt;results_file&gt;%your_splunk_path%/var/run/splunk/dispatch/scheduler__admin_%a_hash_value%/tmp_0.csv.gz&lt;/results_file&gt; </CODE></PRE> <P>As ramabu already listed, here are the docs, <A href="http://docs.splunk.com/Documentation/Splunk/6.3.3/AdvancedDev/ModAlertsIntro">http://docs.splunk.com/Documentation/Splunk/6.3.3/AdvancedDev/ModAlertsIntro</A></P> Fri, 25 Mar 2016 20:01:07 GMT cb_usps 2016-03-25T20:01:07Z https://community.splunk.com/t5/Alerting/How-to-get-Splunk-Webhook-Alert-actions-to-send-entire-search/m-p/226069#M4134 <P>Hi,</P> <P>I had a sample test on the Splunk Webhook Alert action and it seems the webbhook sends the first result from the search results. Is there a way to send the entire search results as JSON payload?</P> <P>Thanks<BR /> Mathan J</P> Tue, 01 Mar 2016 22:00:13 GMT https://community.splunk.com/t5/Alerting/How-to-get-Splunk-Webhook-Alert-actions-to-send-entire-search/m-p/226069#M4134 Mathanjey 2016-03-01T22:00:13Z https://community.splunk.com/t5/Alerting/How-to-get-Splunk-Webhook-Alert-actions-to-send-entire-search/m-p/226070#M4135 <P>I don't know that it is possible to get them all in a single trigger.<BR /> What I did in a similar case, is I triggered the alert once per result. Can this work for you?</P> <P>If not, then you can probably write a custom_alert_action to do that. Not sure about the details, but they are here: <A href="http://docs.splunk.com/Documentation/Splunk/6.3.3/AdvancedDev/ModAlertsIntro" target="_blank">http://docs.splunk.com/Documentation/Splunk/6.3.3/AdvancedDev/ModAlertsIntro</A></P> <P>Reading this, keep in mind that a custm-alert-action is a one-alert-app, sort of, that plugs into the 'Add Actions' drop down, and has its own setup, triggering dialog, icon, script, etc.</P> Tue, 29 Sep 2020 08:57:13 GMT https://community.splunk.com/t5/Alerting/How-to-get-Splunk-Webhook-Alert-actions-to-send-entire-search/m-p/226070#M4135 ramabu 2020-09-29T08:57:13Z https://community.splunk.com/t5/Alerting/How-to-get-Splunk-Webhook-Alert-actions-to-send-entire-search/m-p/226071#M4136 <P>Thanks, I see the workaround of triggering the alert once per result. In such case it would increase the network traffic as we will have more number of search results (&gt;100) and multiple webhooks will be configured of different types. Do you agree? Preferably I would think getting all the results set at once shot would help the receiving service to parse through and take necessary actions. </P> <P>Thanks<BR /> Mathan J</P> Wed, 02 Mar 2016 14:38:19 GMT https://community.splunk.com/t5/Alerting/How-to-get-Splunk-Webhook-Alert-actions-to-send-entire-search/m-p/226071#M4136 Mathanjey 2016-03-02T14:38:19Z https://community.splunk.com/t5/Alerting/How-to-get-Splunk-Webhook-Alert-actions-to-send-entire-search/m-p/226072#M4137 <P>If the results are interrelated, and the receiving service needs them all to handle them properly, then this is surely not a workaround. </P> <P>And I agree that network traffic will increase, and the receiving service will be posted &gt;100 times more often. </P> <P>It is just that the webhook is more of an illustrative example of a custom alert action, suitable for specific, not all, cases.</P> <P>See also the following questions I answered to myself...<BR /> <A href="https://answers.splunk.com/answers/351007/webhook-alert-action-why-am-i-unable-to-specify-a.html">https://answers.splunk.com/answers/351007/webhook-alert-action-why-am-i-unable-to-specify-a.html</A><BR /> <A href="https://answers.splunk.com/answers/351433/is-it-possible-to-use-a-configuration-stanza-in-we-1.html">https://answers.splunk.com/answers/351433/is-it-possible-to-use-a-configuration-stanza-in-we-1.html</A></P> Wed, 02 Mar 2016 15:55:10 GMT https://community.splunk.com/t5/Alerting/How-to-get-Splunk-Webhook-Alert-actions-to-send-entire-search/m-p/226072#M4137 ramabu 2016-03-02T15:55:10Z https://community.splunk.com/t5/Alerting/How-to-get-Splunk-Webhook-Alert-actions-to-send-entire-search/m-p/226073#M4138 <P>Got a solution to get all the results. We actually took slightly a different route to fit our requirements.</P> <P>We still plan to use the Out of the box Webhook which will be triggered on a certain condition followed by a web service is exposed to receive the alert.</P> <P>With the web service we get the first result from the payload, in addition we also get the search id.</P> <P>Having the search id , we got a way to call the REST API that returns the complete search results in XML, based on which we can parse ..etc.</P> <P>Sample REST API URL : <A href="https://SplunkServer:port/services/nobody/applicaitonname/search/jobs/Searchid_from_webhook/results_preview">https://SplunkServer:port/services/nobody/applicaitonname/search/jobs/Searchid_from_webhook/results_preview</A></P> <P>Thanks<BR /> Mathan J</P> Fri, 11 Mar 2016 21:52:19 GMT https://community.splunk.com/t5/Alerting/How-to-get-Splunk-Webhook-Alert-actions-to-send-entire-search/m-p/226073#M4138 Mathanjey 2016-03-11T21:52:19Z https://community.splunk.com/t5/Alerting/How-to-get-Splunk-Webhook-Alert-actions-to-send-entire-search/m-p/226074#M4139 <P>When setting up your own Custom Alert Action, the payload should have an entry to the search results directly:</P> <PRE><CODE>&lt;results_file&gt;%your_splunk_path%/var/run/splunk/dispatch/scheduler__admin_%a_hash_value%/tmp_0.csv.gz&lt;/results_file&gt; </CODE></PRE> <P>As ramabu already listed, here are the docs, <A href="http://docs.splunk.com/Documentation/Splunk/6.3.3/AdvancedDev/ModAlertsIntro">http://docs.splunk.com/Documentation/Splunk/6.3.3/AdvancedDev/ModAlertsIntro</A></P> Fri, 25 Mar 2016 20:01:07 GMT https://community.splunk.com/t5/Alerting/How-to-get-Splunk-Webhook-Alert-actions-to-send-entire-search/m-p/226074#M4139 cb_usps 2016-03-25T20:01:07Z https://community.splunk.com/t5/Alerting/How-to-get-Splunk-Webhook-Alert-actions-to-send-entire-search/m-p/226075#M4140 <P>Thanks for the answer. I had really hoped there was a better solution to get POST with the full results. This is very inefficient. If anyone else has a way to get full results in the POST I am very interested. </P> Wed, 18 Jan 2017 21:13:53 GMT https://community.splunk.com/t5/Alerting/How-to-get-Splunk-Webhook-Alert-actions-to-send-entire-search/m-p/226075#M4140 tavor999 2017-01-18T21:13:53Z https://community.splunk.com/t5/Alerting/How-to-get-Splunk-Webhook-Alert-actions-to-send-entire-search/m-p/226076#M4141 <P>did you get an answer for this? I am having the same problem and cant find anything here. Thanks</P> Fri, 02 Jun 2017 15:52:37 GMT https://community.splunk.com/t5/Alerting/How-to-get-Splunk-Webhook-Alert-actions-to-send-entire-search/m-p/226076#M4141 maximusdm 2017-06-02T15:52:37Z https://community.splunk.com/t5/Alerting/How-to-get-Splunk-Webhook-Alert-actions-to-send-entire-search/m-p/754407#M16344 <P>Where did you find the Power Automate IP`s that need adding to the Splunk API allow list ?</P> Thu, 16 Oct 2025 10:46:21 GMT https://community.splunk.com/t5/Alerting/How-to-get-Splunk-Webhook-Alert-actions-to-send-entire-search/m-p/754407#M16344 tomapatan 2025-10-16T10:46:21Z