Alerting

Can we setup alerts using REST API, with action to send a POST request at a webhook?

bhavneet91
Engager

We want to setup alerts using REST API.
https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTsearch#saved.2Fsearches described how we can do it with POST request to /saved/searches.

But this only talks about email as action. Can we have action as call to a webhook when the alert is set up through REST API.

Labels (1)
Tags (1)
0 Karma
1 Solution

harsmarvania57
Ultra Champion

Hi @bhavneet91,

Yes you can use below REST API to enable Weblook alert actions on scheduled search.

curl -k -u admin:pass https://localhost:8089/servicesNS/<USER>/<APP>/saved/searches/MySavedSearch -d actions=webhook -d action.webhook.param.url="https://your.server.com/api/v1/webhook"

View solution in original post

santosh_sshanbh
Path Finder

No, ultimately I have to write a python script to create a object and set all its properties before I call the POST method.

0 Karma

Jknike
Loves-to-Learn Lots

Hi Santosh,

 

Is it possible for you to share the python script you created. I have something similar to be done for one of my clienst

0 Karma

mstjohn_splunk
Splunk Employee
Splunk Employee

hi @bhavneet91,

Did you get a chance to try @bhavneet91 's solution? If so, would you mind approving the answer below? Or, if it didn't work, go ahead and post some more details about your issue.

Thanks for posting!

0 Karma

harsmarvania57
Ultra Champion

Hi @bhavneet91,

Yes you can use below REST API to enable Weblook alert actions on scheduled search.

curl -k -u admin:pass https://localhost:8089/servicesNS/<USER>/<APP>/saved/searches/MySavedSearch -d actions=webhook -d action.webhook.param.url="https://your.server.com/api/v1/webhook"

sandeepduppalli
Explorer

Will the type be create as "Report" or "Alert"..?? There are two types one is "Report" and another is "Alert". I have create a saved search, created its schedule etc.. but the type is still "Report". How to do it for "Alert" type??

0 Karma

sddunne
Explorer

Hey @harsmarvania57 ,

I tried to use this (against our splunk cloud instance) and i get an error saying;

 

curl -k -u<removedforsecurity>:<removedforsecurity> https://<removedforsecurity>.splunkcloud.com:8089/servicesNS/cmpapi/search/saved/searches/seantest-CreateAccessKey -d actions=webhook -d action.webhook.param.url="https://your.server.com/api/v1/webhook"


<?xml version="1.0" encoding="UTF-8"?>
<response>
<messages>
<msg type="ERROR">Argument "action.webhook.param.url" is not supported by this handler.</msg>
</messages>
</response>

 

No matter what i try i get the unsupported error. This is on a Splunk Cloud instance. Is this accurate or is there another way of creating an alert with a webhook action?

 

Many thanks!

0 Karma

harsmarvania57
Ultra Champion

@sddunne Is this report or alert ?

0 Karma

sddunne
Explorer

Hey @harsmarvania57 , it's an alert.

I'm trying to programatically create alerts with a webhook action. When we onboard a new service, we set up a dedicated index and would like to be able to deploy our standard set of alerts as part of the onboarding process (we currently set up all the alerts manually in the console).

Many thanks,
Sean.

0 Karma

harsmarvania57
Ultra Champion

Is it possible you to provide how are you creating alert ? Also it will be good to create new question and refer this link in that question.

0 Karma

sddunne
Explorer

Hi @harsmarvania57 ,

 

I found the problem, it was generating them as reports and so they were not showing up in the console in the 'alerts' section. 

Do you know what i need to set on the report to make it show up as an alert?

 

Sean.

siddhant
Engager

Did you find out how can we save it as alert? A new report is getting created.

0 Karma

sddunne
Explorer

HI there, i tried to use this and i get an error saying;

 

curl -k -u<removedforsecurity>:<removedforsecurity> https://<removedforsecurity>.splunkcloud.com:8089/servicesNS/cmpapi/search/saved/searches/seantest-CreateAccessKey -d actions=webhook -d action.webhook.param.url="https://your.server.com/api/v1/webhook"


<?xml version="1.0" encoding="UTF-8"?>
<response>
<messages>
<msg type="ERROR">Argument "action.webhook.param.url" is not supported by this handler.</msg>
</messages>
</response>

 

No matter what i try i get the unsupported error. This is on a Splunk Cloud instance. Is this accurate or is there another way of creating an alert with a webhook action?

 

Many thanks!

0 Karma

bhavneet91
Engager

Surprised why it is not there available on the documentation.

0 Karma

santosh_sshanbh
Path Finder

How I can pass any other parameters to my POST method using this approach?

0 Karma

juliennerocafor
New Member

Hello @santosh_sshanbhag , I would just like to ask if you were able to have a solution for your inquiry?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...