Alerting

Can we setup alerts using REST API, with action to send a POST request at a webhook?

bhavneet91
Engager

We want to setup alerts using REST API.
https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTsearch#saved.2Fsearches described how we can do it with POST request to /saved/searches.

But this only talks about email as action. Can we have action as call to a webhook when the alert is set up through REST API.

Labels (1)
Tags (1)
0 Karma
1 Solution

harsmarvania57
SplunkTrust
SplunkTrust

Hi @bhavneet91,

Yes you can use below REST API to enable Weblook alert actions on scheduled search.

curl -k -u admin:pass https://localhost:8089/servicesNS/<USER>/<APP>/saved/searches/MySavedSearch -d actions=webhook -d action.webhook.param.url="https://your.server.com/api/v1/webhook"

View solution in original post

santosh_sshanbh
Explorer

No, ultimately I have to write a python script to create a object and set all its properties before I call the POST method.

0 Karma

Jknike
Loves-to-Learn

Hi Santosh,

 

Is it possible for you to share the python script you created. I have something similar to be done for one of my clienst

0 Karma

mstjohn_splunk
Splunk Employee
Splunk Employee

hi @bhavneet91,

Did you get a chance to try @bhavneet91 's solution? If so, would you mind approving the answer below? Or, if it didn't work, go ahead and post some more details about your issue.

Thanks for posting!

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Hi @bhavneet91,

Yes you can use below REST API to enable Weblook alert actions on scheduled search.

curl -k -u admin:pass https://localhost:8089/servicesNS/<USER>/<APP>/saved/searches/MySavedSearch -d actions=webhook -d action.webhook.param.url="https://your.server.com/api/v1/webhook"

View solution in original post

sandeepduppalli
Explorer

Will the type be create as "Report" or "Alert"..?? There are two types one is "Report" and another is "Alert". I have create a saved search, created its schedule etc.. but the type is still "Report". How to do it for "Alert" type??

0 Karma

sddunne
Loves-to-Learn Lots

Hey @harsmarvania57 ,

I tried to use this (against our splunk cloud instance) and i get an error saying;

 

curl -k -u<removedforsecurity>:<removedforsecurity> https://<removedforsecurity>.splunkcloud.com:8089/servicesNS/cmpapi/search/saved/searches/seantest-CreateAccessKey -d actions=webhook -d action.webhook.param.url="https://your.server.com/api/v1/webhook"


<?xml version="1.0" encoding="UTF-8"?>
<response>
<messages>
<msg type="ERROR">Argument "action.webhook.param.url" is not supported by this handler.</msg>
</messages>
</response>

 

No matter what i try i get the unsupported error. This is on a Splunk Cloud instance. Is this accurate or is there another way of creating an alert with a webhook action?

 

Many thanks!

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

@sddunne Is this report or alert ?

0 Karma

sddunne
Loves-to-Learn Lots

Hey @harsmarvania57 , it's an alert.

I'm trying to programatically create alerts with a webhook action. When we onboard a new service, we set up a dedicated index and would like to be able to deploy our standard set of alerts as part of the onboarding process (we currently set up all the alerts manually in the console).

Many thanks,
Sean.

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Is it possible you to provide how are you creating alert ? Also it will be good to create new question and refer this link in that question.

0 Karma

sddunne
Loves-to-Learn Lots

Hi @harsmarvania57 ,

 

I found the problem, it was generating them as reports and so they were not showing up in the console in the 'alerts' section. 

Do you know what i need to set on the report to make it show up as an alert?

 

Sean.

0 Karma

sddunne
Loves-to-Learn Lots

HI there, i tried to use this and i get an error saying;

 

curl -k -u<removedforsecurity>:<removedforsecurity> https://<removedforsecurity>.splunkcloud.com:8089/servicesNS/cmpapi/search/saved/searches/seantest-CreateAccessKey -d actions=webhook -d action.webhook.param.url="https://your.server.com/api/v1/webhook"


<?xml version="1.0" encoding="UTF-8"?>
<response>
<messages>
<msg type="ERROR">Argument "action.webhook.param.url" is not supported by this handler.</msg>
</messages>
</response>

 

No matter what i try i get the unsupported error. This is on a Splunk Cloud instance. Is this accurate or is there another way of creating an alert with a webhook action?

 

Many thanks!

0 Karma

bhavneet91
Engager

Surprised why it is not there available on the documentation.

0 Karma

santosh_sshanbh
Explorer

How I can pass any other parameters to my POST method using this approach?

0 Karma

juliennerocafor
New Member

Hello @santosh_sshanbhag , I would just like to ask if you were able to have a solution for your inquiry?

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!