Can the webhook payload for an alert be configured?

New Member

Is it possible to configure the webhook payload for an alert? I would like to send alerts to BigPanda which requires the payload to contain a specific set of tags in JSON format. There is a BigPanda app for on-prem versions of Splunk, but I'm trying to integrate the SaaS based version. I couldn't find an answer to this in the docs or any other questions on here.

Second question if its not possible to configure the payload - how can I call a script from the SaaS based instance of Splunk? When I choose this as an option it prompts for a path under $splunk_home, but not sure where that is in the SaaS version.


Labels (1)
0 Karma
1 Solution


You have to go through a support ticket to get support to install Splunk apps for you into a Splunk cloud instance.

View solution in original post

0 Karma


I dont know if this is a bit overkill but you could write a python app to receive the wehook, and then recompose the json - I've been messing around with this today.  So you'd end up with a gateway - but a stateless one - here's some code - it's a spike, so dont take it too literally:

It creates an endpoint http://localhost:5000/splunk were you can take the use in splunk as a webhook target and take the original json payload and change its shape and post it to a discord channel (no cost etc.)

from asyncio.log import logger
from email import header
from urllib import response
import requests
import json
from loguru import logger
from flask import Flask, request, json

app = Flask(__name__)

def discord_message(url, message):
    headers = {
        "Accept": "application/json",
        "Content-Type": "application/json",
        "X-HTTP-Method-Override": "PUT"
    data = {
     "content": message
    payload = json.dumps(data)'Sending webhook message {message}')
    response =, headers=headers, data=payload)'{response}')

def splunk():
    data = request.json
    discord_webhook = "!!"
    message = (f'Attack detected see search: {data["results_link"]}')
    discord_message(discord_webhook, message)
    return data

def main():, host="")

if __name__ == "__main__":

if there's a better way of doing this Id really be interested 🙂 ... hmm thinking about it an aws have some really interesting event bridge logic you could prob use and plumb it into a lambda

0 Karma

New Member

Hi, can anyone answer the first original question of; is it possible to configure the Webhook JSON payload so that we can send our own payload and not just the default payload? Thank you. - - -CraigR

0 Karma

New Member

as @starcher said you need to check the splunkbase first and ask them to install the app if it is there. Splunkbase is a catalogue of cloud add-ons. If it is not there you need to fire another ticket, the application should go through the vetting process, and you will get a vetting report.

0 Karma


You have to go through a support ticket to get support to install Splunk apps for you into a Splunk cloud instance.

0 Karma
Get Updates on the Splunk Community!

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! 🌈 In the United States, as well as many countries around the ...

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...

Admin Your Splunk Cloud, Your Way

Join us to maximize different techniques to best tune Splunk Cloud. In this Tech Enablement, you will get ...