- Splunk Answers
- :
- Using Splunk
- :
- Alerting
- :
- How to get Splunk Webhook Alert actions to send en...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I had a sample test on the Splunk Webhook Alert action and it seems the webbhook sends the first result from the search results. Is there a way to send the entire search results as JSON payload?
Thanks
Mathan J
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't know that it is possible to get them all in a single trigger.
What I did in a similar case, is I triggered the alert once per result. Can this work for you?
If not, then you can probably write a custom_alert_action to do that. Not sure about the details, but they are here: http://docs.splunk.com/Documentation/Splunk/6.3.3/AdvancedDev/ModAlertsIntro
Reading this, keep in mind that a custm-alert-action is a one-alert-app, sort of, that plugs into the 'Add Actions' drop down, and has its own setup, triggering dialog, icon, script, etc.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When setting up your own Custom Alert Action, the payload should have an entry to the search results directly:
<results_file>%your_splunk_path%/var/run/splunk/dispatch/scheduler__admin_%a_hash_value%/tmp_0.csv.gz</results_file>
As ramabu already listed, here are the docs, http://docs.splunk.com/Documentation/Splunk/6.3.3/AdvancedDev/ModAlertsIntro
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't know that it is possible to get them all in a single trigger.
What I did in a similar case, is I triggered the alert once per result. Can this work for you?
If not, then you can probably write a custom_alert_action to do that. Not sure about the details, but they are here: http://docs.splunk.com/Documentation/Splunk/6.3.3/AdvancedDev/ModAlertsIntro
Reading this, keep in mind that a custm-alert-action is a one-alert-app, sort of, that plugs into the 'Add Actions' drop down, and has its own setup, triggering dialog, icon, script, etc.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Got a solution to get all the results. We actually took slightly a different route to fit our requirements.
We still plan to use the Out of the box Webhook which will be triggered on a certain condition followed by a web service is exposed to receive the alert.
With the web service we get the first result from the payload, in addition we also get the search id.
Having the search id , we got a way to call the REST API that returns the complete search results in XML, based on which we can parse ..etc.
Sample REST API URL : https://SplunkServer:port/services/nobody/applicaitonname/search/jobs/Searchid_from_webhook/results_...
Thanks
Mathan J
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the answer. I had really hoped there was a better solution to get POST with the full results. This is very inefficient. If anyone else has a way to get full results in the POST I am very interested.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
did you get an answer for this? I am having the same problem and cant find anything here. Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, I see the workaround of triggering the alert once per result. In such case it would increase the network traffic as we will have more number of search results (>100) and multiple webhooks will be configured of different types. Do you agree? Preferably I would think getting all the results set at once shot would help the receiving service to parse through and take necessary actions.
Thanks
Mathan J
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the results are interrelated, and the receiving service needs them all to handle them properly, then this is surely not a workaround.
And I agree that network traffic will increase, and the receiving service will be posted >100 times more often.
It is just that the webhook is more of an illustrative example of a custom alert action, suitable for specific, not all, cases.
See also the following questions I answered to myself...
https://answers.splunk.com/answers/351007/webhook-alert-action-why-am-i-unable-to-specify-a.html
https://answers.splunk.com/answers/351433/is-it-possible-to-use-a-configuration-stanza-in-we-1.html
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
