topic Can the webhook payload for an alert be configured? in Alerting

Can the webhook payload for an alert be configured?

strayhud — Tue, 09 Jun 2020 20:56:33 GMT

Is it possible to configure the webhook payload for an alert? I would like to send alerts to BigPanda which requires the payload to contain a specific set of tags in JSON format. There is a BigPanda app for on-prem versions of Splunk, but I'm trying to integrate the SaaS based version. I couldn't find an answer to this in the docs or any other questions on here.

Second question if its not possible to configure the payload - how can I call a script from the SaaS based instance of Splunk? When I choose this as an option it prompts for a path under $splunk_home, but not sure where that is in the SaaS version.

Thanks,
Steve

Re: Can the webhook payload for an alert be configured?

starcher — Sat, 11 Feb 2017 12:08:57 GMT

You have to go through a support ticket to get support to install Splunk apps for you into a Splunk cloud instance.

Re: Can the webhook payload for an alert be configured?

edikmkoyan — Thu, 12 Sep 2019 12:15:26 GMT

as @starcher said you need to check the splunkbase first and ask them to install the app if it is there. Splunkbase is a catalogue of cloud add-ons. If it is not there you need to fire another ticket, the application should go through the vetting process, and you will get a vetting report.

Re: Can the webhook payload for an alert be configured?

mobiuscraigr — Fri, 08 May 2020 05:31:39 GMT

Hi, can anyone answer the first original question of; is it possible to configure the Webhook JSON payload so that we can send our own payload and not just the default payload? Thank you. - - -CraigR

Re: Can the webhook payload for an alert be configured?

aymonfoa — Sat, 15 Oct 2022 15:00:13 GMT

I dont know if this is a bit overkill but you could write a python app to receive the wehook, and then recompose the json - I've been messing around with this today. So you'd end up with a gateway - but a stateless one - here's some code - it's a spike, so dont take it too literally:

It creates an endpoint http://localhost:5000/splunk were you can take the use in splunk as a webhook target and take the original json payload and change its shape and post it to a discord channel (no cost etc.)

from asyncio.log import logger from email import header from urllib import response import requests import json from loguru import logger from flask import Flask, request, json app = Flask(__name__) def discord_message(url, message): headers = { "Accept": "application/json", "Content-Type": "application/json", "X-HTTP-Method-Override": "PUT" } data = { "content": message } payload = json.dumps(data) logger.info(f'Sending webhook message {message}') response = requests.post(url, headers=headers, data=payload) logger.info(f'{response}') @app.route('/splunk',methods=['POST']) def splunk(): data = request.json logger.debug(data) discord_webhook = "https://discordapp.com/api/webhooks/SOME_WEBHOOK!!" message = (f'Attack detected see search: {data["results_link"]}') discord_message(discord_webhook, message) logger.debug(message) return data def main(): app.run(debug=True, host="0.0.0.0") if __name__ == "__main__": main()

if there's a better way of doing this Id really be interested 🙂 ... hmm thinking about it an aws have some really interesting event bridge logic you could prob use and plumb it into a lambda