Alerting

How do I view Webhook content in Splunk?

BryanScovill
Explorer

We're struggling a bit with trying to use Webhooks instead of custom scripts in our alerts. Just as a simple test, we've created an alert to generate a post to one of our systems and instead of the JSON, all we appear to receive is "1". Are there any suggestions regarding the best way to test the received data? Is there anywhere that the payload is logged on the search head? I can see in the splunkd.log the event, but not the content...

10-10-2018 09:51:08.880 -0400 INFO  sendmodalert - action=webhook STDERR -  Sending POST request to url=https://redacted.supercool.address/test with size=5043 bytes payload

The STDERR in there does raise my eyebrows.

Any guidance would be appreciated.

Tags (1)
0 Karma

tgendron_splunk
Splunk Employee
Splunk Employee

Hi Bryan,

One way to test connectivity is to use the webhook.site as a test end point. That site will provide a url that you can POST to and see if it gets there. Here is an example using curl.

curl -X POST -H 'Content-Type: application/json' --data '{"username":"foo", "password":"bar"}' https://webhook.site/40767741-9583-4cc6-8934-163ffab666ef
Nice Job!

The URL was generated by the webhook.site which makes it easy to copy and paste as above. I set it up to return the Nice Job! result string. I did nothing else other then that.

On the webhook.site you will see the json data displayed along with some connectivity meta-data. If the curl example works, then the same URL will work with an alert. I tested it and conformed it. The json doc sent by the alert looks like this on the webhook site.

I just pasted the URL into the form for creating a webhook in the Splunk UI.

Here is the result shown at the URL endpoint on the webhook.site.

{
"owner": "admin",
"app": "search",
"sid": "rt_scheduler_adminsearchRMD5c915be116e89b766_at_1539791034_150.118",
"search_name": "my_alertTest2",
"results_link": "http://shd1:8000/app/search/@go?sid=rt_scheduler
adminsearchRMD5c915be116e89b766_at_1539791034_150.118",
"result": {
"date_minute": "13",
"timestartpos": "0",
"_raw": "2018-10-17 18:13:13 127.0.0.2 22 127.0.0.12 2200 tomg 4624 - \"login success\" - - -",
"_serial": "2",
"_sourcetype": "mytransform:alerts",
"date_zone": "local",
"index": "alert_test",
"sourcetype": "mytransform:alerts",
"date_second": "13",
"date_month": "october",
"punct": "--
::......__-\"\"---",
"source": "/var/tmp/alert_sample.log",
"host": "ufd1",
"_confstr": "source::/var/tmp/alert_sample.log|host::ufd1|mytransform:alerts",
"date_hour": "18",
"date_wday": "wednesday",
"_kv": "1",
"_si": [
"idx1",
"alert_test"
],
"date_mday": "17",
"_indextime": "1539799995",
"splunk_server": "idx1",
"date_year": "2018",
"_time": "1539799993",
"timeendpos": "20"
}
}

0 Karma
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...