Alerting

How do I view Webhook content in Splunk?

BryanScovill
Explorer

We're struggling a bit with trying to use Webhooks instead of custom scripts in our alerts. Just as a simple test, we've created an alert to generate a post to one of our systems and instead of the JSON, all we appear to receive is "1". Are there any suggestions regarding the best way to test the received data? Is there anywhere that the payload is logged on the search head? I can see in the splunkd.log the event, but not the content...

10-10-2018 09:51:08.880 -0400 INFO  sendmodalert - action=webhook STDERR -  Sending POST request to url=https://redacted.supercool.address/test with size=5043 bytes payload

The STDERR in there does raise my eyebrows.

Any guidance would be appreciated.

Tags (1)
0 Karma

tgendron_splunk
Splunk Employee
Splunk Employee

Hi Bryan,

One way to test connectivity is to use the webhook.site as a test end point. That site will provide a url that you can POST to and see if it gets there. Here is an example using curl.

curl -X POST -H 'Content-Type: application/json' --data '{"username":"foo", "password":"bar"}' https://webhook.site/40767741-9583-4cc6-8934-163ffab666ef
Nice Job!

The URL was generated by the webhook.site which makes it easy to copy and paste as above. I set it up to return the Nice Job! result string. I did nothing else other then that.

On the webhook.site you will see the json data displayed along with some connectivity meta-data. If the curl example works, then the same URL will work with an alert. I tested it and conformed it. The json doc sent by the alert looks like this on the webhook site.

I just pasted the URL into the form for creating a webhook in the Splunk UI.

Here is the result shown at the URL endpoint on the webhook.site.

{
"owner": "admin",
"app": "search",
"sid": "rt_scheduler_adminsearchRMD5c915be116e89b766_at_1539791034_150.118",
"search_name": "my_alertTest2",
"results_link": "http://shd1:8000/app/search/@go?sid=rt_scheduler
adminsearchRMD5c915be116e89b766_at_1539791034_150.118",
"result": {
"date_minute": "13",
"timestartpos": "0",
"_raw": "2018-10-17 18:13:13 127.0.0.2 22 127.0.0.12 2200 tomg 4624 - \"login success\" - - -",
"_serial": "2",
"_sourcetype": "mytransform:alerts",
"date_zone": "local",
"index": "alert_test",
"sourcetype": "mytransform:alerts",
"date_second": "13",
"date_month": "october",
"punct": "--
::......__-\"\"---",
"source": "/var/tmp/alert_sample.log",
"host": "ufd1",
"_confstr": "source::/var/tmp/alert_sample.log|host::ufd1|mytransform:alerts",
"date_hour": "18",
"date_wday": "wednesday",
"_kv": "1",
"_si": [
"idx1",
"alert_test"
],
"date_mday": "17",
"_indextime": "1539799995",
"splunk_server": "idx1",
"date_year": "2018",
"_time": "1539799993",
"timeendpos": "20"
}
}

0 Karma
Get Updates on the Splunk Community!

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...