Alerting
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I view Webhook content in Splunk?

BryanScovill
Explorer
‎10-10-2018 10:35 AM

We're struggling a bit with trying to use Webhooks instead of custom scripts in our alerts. Just as a simple test, we've created an alert to generate a post to one of our systems and instead of the JSON, all we appear to receive is "1". Are there any suggestions regarding the best way to test the received data? Is there anywhere that the payload is logged on the search head? I can see in the splunkd.log the event, but not the content...

10-10-2018 09:51:08.880 -0400 INFO  sendmodalert - action=webhook STDERR -  Sending POST request to url=https://redacted.supercool.address/test with size=5043 bytes payload

The STDERR in there does raise my eyebrows.

Any guidance would be appreciated.

Tags (1)
0 Karma
Reply

tgendron_splunk
Splunk Employee
Splunk Employee
‎10-17-2018 11:54 AM

Hi Bryan,

One way to test connectivity is to use the webhook.site as a test end point. That site will provide a url that you can POST to and see if it gets there. Here is an example using curl.

curl -X POST -H 'Content-Type: application/json' --data '{"username":"foo", "password":"bar"}' https://webhook.site/40767741-9583-4cc6-8934-163ffab666ef
Nice Job!

The URL was generated by the webhook.site which makes it easy to copy and paste as above. I set it up to return the Nice Job! result string. I did nothing else other then that.

On the webhook.site you will see the json data displayed along with some connectivity meta-data. If the curl example works, then the same URL will work with an alert. I tested it and conformed it. The json doc sent by the alert looks like this on the webhook site.

I just pasted the URL into the form for creating a webhook in the Splunk UI.

Here is the result shown at the URL endpoint on the webhook.site.

{
"owner": "admin",
"app": "search",
"sid": "rt_scheduler_adminsearchRMD5c915be116e89b766_at_1539791034_150.118",
"search_name": "my_alertTest2",
"results_link": "http://shd1:8000/app/search/@go?sid=rt_scheduleradminsearchRMD5c915be116e89b766_at_1539791034_150.118",
"result": {
"date_minute": "13",
"timestartpos": "0",
"_raw": "2018-10-17 18:13:13 127.0.0.2 22 127.0.0.12 2200 tomg 4624 - \"login success\" - - -",
"_serial": "2",
"_sourcetype": "mytransform:alerts",
"date_zone": "local",
"index": "alert_test",
"sourcetype": "mytransform:alerts",
"date_second": "13",
"date_month": "october",
"punct": "--::......__-\"\"---",
"source": "/var/tmp/alert_sample.log",
"host": "ufd1",
"_confstr": "source::/var/tmp/alert_sample.log|host::ufd1|mytransform:alerts",
"date_hour": "18",
"date_wday": "wednesday",
"_kv": "1",
"_si": [
"idx1",
"alert_test"
],
"date_mday": "17",
"_indextime": "1539799995",
"splunk_server": "idx1",
"date_year": "2018",
"_time": "1539799993",
"timeendpos": "20"
}
}

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top