Alerting

How to get Splunk Webhook Alert actions to send entire search results as JSON payload?

Mathanjey
Explorer

Hi,

I had a sample test on the Splunk Webhook Alert action and it seems the webbhook sends the first result from the search results. Is there a way to send the entire search results as JSON payload?

Thanks
Mathan J

1 Solution

ramabu
Path Finder

I don't know that it is possible to get them all in a single trigger.
What I did in a similar case, is I triggered the alert once per result. Can this work for you?

If not, then you can probably write a custom_alert_action to do that. Not sure about the details, but they are here: http://docs.splunk.com/Documentation/Splunk/6.3.3/AdvancedDev/ModAlertsIntro

Reading this, keep in mind that a custm-alert-action is a one-alert-app, sort of, that plugs into the 'Add Actions' drop down, and has its own setup, triggering dialog, icon, script, etc.

View solution in original post

0 Karma

cb_usps
Explorer

When setting up your own Custom Alert Action, the payload should have an entry to the search results directly:

<results_file>%your_splunk_path%/var/run/splunk/dispatch/scheduler__admin_%a_hash_value%/tmp_0.csv.gz</results_file>

As ramabu already listed, here are the docs, http://docs.splunk.com/Documentation/Splunk/6.3.3/AdvancedDev/ModAlertsIntro

0 Karma

ramabu
Path Finder

I don't know that it is possible to get them all in a single trigger.
What I did in a similar case, is I triggered the alert once per result. Can this work for you?

If not, then you can probably write a custom_alert_action to do that. Not sure about the details, but they are here: http://docs.splunk.com/Documentation/Splunk/6.3.3/AdvancedDev/ModAlertsIntro

Reading this, keep in mind that a custm-alert-action is a one-alert-app, sort of, that plugs into the 'Add Actions' drop down, and has its own setup, triggering dialog, icon, script, etc.

0 Karma

Mathanjey
Explorer

Got a solution to get all the results. We actually took slightly a different route to fit our requirements.

We still plan to use the Out of the box Webhook which will be triggered on a certain condition followed by a web service is exposed to receive the alert.

With the web service we get the first result from the payload, in addition we also get the search id.

Having the search id , we got a way to call the REST API that returns the complete search results in XML, based on which we can parse ..etc.

Sample REST API URL : https://SplunkServer:port/services/nobody/applicaitonname/search/jobs/Searchid_from_webhook/results_...

Thanks
Mathan J

0 Karma

tavor999
New Member

Thanks for the answer. I had really hoped there was a better solution to get POST with the full results. This is very inefficient. If anyone else has a way to get full results in the POST I am very interested.

0 Karma

maximusdm
Communicator

did you get an answer for this? I am having the same problem and cant find anything here. Thanks

0 Karma

Mathanjey
Explorer

Thanks, I see the workaround of triggering the alert once per result. In such case it would increase the network traffic as we will have more number of search results (>100) and multiple webhooks will be configured of different types. Do you agree? Preferably I would think getting all the results set at once shot would help the receiving service to parse through and take necessary actions.

Thanks
Mathan J

0 Karma

ramabu
Path Finder

If the results are interrelated, and the receiving service needs them all to handle them properly, then this is surely not a workaround.

And I agree that network traffic will increase, and the receiving service will be posted >100 times more often.

It is just that the webhook is more of an illustrative example of a custom alert action, suitable for specific, not all, cases.

See also the following questions I answered to myself...
https://answers.splunk.com/answers/351007/webhook-alert-action-why-am-i-unable-to-specify-a.html
https://answers.splunk.com/answers/351433/is-it-possible-to-use-a-configuration-stanza-in-we-1.html

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...