Alerting

How do I view Webhook content in Splunk?

BryanScovill
Explorer

We're struggling a bit with trying to use Webhooks instead of custom scripts in our alerts. Just as a simple test, we've created an alert to generate a post to one of our systems and instead of the JSON, all we appear to receive is "1". Are there any suggestions regarding the best way to test the received data? Is there anywhere that the payload is logged on the search head? I can see in the splunkd.log the event, but not the content...

10-10-2018 09:51:08.880 -0400 INFO  sendmodalert - action=webhook STDERR -  Sending POST request to url=https://redacted.supercool.address/test with size=5043 bytes payload

The STDERR in there does raise my eyebrows.

Any guidance would be appreciated.

Tags (1)
0 Karma

tgendron_splunk
Splunk Employee
Splunk Employee

Hi Bryan,

One way to test connectivity is to use the webhook.site as a test end point. That site will provide a url that you can POST to and see if it gets there. Here is an example using curl.

curl -X POST -H 'Content-Type: application/json' --data '{"username":"foo", "password":"bar"}' https://webhook.site/40767741-9583-4cc6-8934-163ffab666ef
Nice Job!

The URL was generated by the webhook.site which makes it easy to copy and paste as above. I set it up to return the Nice Job! result string. I did nothing else other then that.

On the webhook.site you will see the json data displayed along with some connectivity meta-data. If the curl example works, then the same URL will work with an alert. I tested it and conformed it. The json doc sent by the alert looks like this on the webhook site.

I just pasted the URL into the form for creating a webhook in the Splunk UI.

Here is the result shown at the URL endpoint on the webhook.site.

{
"owner": "admin",
"app": "search",
"sid": "rt_scheduler_adminsearchRMD5c915be116e89b766_at_1539791034_150.118",
"search_name": "my_alertTest2",
"results_link": "http://shd1:8000/app/search/@go?sid=rt_scheduler
adminsearchRMD5c915be116e89b766_at_1539791034_150.118",
"result": {
"date_minute": "13",
"timestartpos": "0",
"_raw": "2018-10-17 18:13:13 127.0.0.2 22 127.0.0.12 2200 tomg 4624 - \"login success\" - - -",
"_serial": "2",
"_sourcetype": "mytransform:alerts",
"date_zone": "local",
"index": "alert_test",
"sourcetype": "mytransform:alerts",
"date_second": "13",
"date_month": "october",
"punct": "--
::......__-\"\"---",
"source": "/var/tmp/alert_sample.log",
"host": "ufd1",
"_confstr": "source::/var/tmp/alert_sample.log|host::ufd1|mytransform:alerts",
"date_hour": "18",
"date_wday": "wednesday",
"_kv": "1",
"_si": [
"idx1",
"alert_test"
],
"date_mday": "17",
"_indextime": "1539799995",
"splunk_server": "idx1",
"date_year": "2018",
"_time": "1539799993",
"timeendpos": "20"
}
}

0 Karma
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...