Hi,
I had a sample test on the Splunk Webhook Alert action and it seems the webbhook sends the first result from the search results. Is there a way to send the entire search results as JSON payload?
Thanks
Mathan J
I don't know that it is possible to get them all in a single trigger.
What I did in a similar case, is I triggered the alert once per result. Can this work for you?
If not, then you can probably write a custom_alert_action to do that. Not sure about the details, but they are here: http://docs.splunk.com/Documentation/Splunk/6.3.3/AdvancedDev/ModAlertsIntro
Reading this, keep in mind that a custm-alert-action is a one-alert-app, sort of, that plugs into the 'Add Actions' drop down, and has its own setup, triggering dialog, icon, script, etc.
When setting up your own Custom Alert Action, the payload should have an entry to the search results directly:
<results_file>%your_splunk_path%/var/run/splunk/dispatch/scheduler__admin_%a_hash_value%/tmp_0.csv.gz</results_file>
As ramabu already listed, here are the docs, http://docs.splunk.com/Documentation/Splunk/6.3.3/AdvancedDev/ModAlertsIntro
I don't know that it is possible to get them all in a single trigger.
What I did in a similar case, is I triggered the alert once per result. Can this work for you?
If not, then you can probably write a custom_alert_action to do that. Not sure about the details, but they are here: http://docs.splunk.com/Documentation/Splunk/6.3.3/AdvancedDev/ModAlertsIntro
Reading this, keep in mind that a custm-alert-action is a one-alert-app, sort of, that plugs into the 'Add Actions' drop down, and has its own setup, triggering dialog, icon, script, etc.
Got a solution to get all the results. We actually took slightly a different route to fit our requirements.
We still plan to use the Out of the box Webhook which will be triggered on a certain condition followed by a web service is exposed to receive the alert.
With the web service we get the first result from the payload, in addition we also get the search id.
Having the search id , we got a way to call the REST API that returns the complete search results in XML, based on which we can parse ..etc.
Sample REST API URL : https://SplunkServer:port/services/nobody/applicaitonname/search/jobs/Searchid_from_webhook/results_...
Thanks
Mathan J
Thanks for the answer. I had really hoped there was a better solution to get POST with the full results. This is very inefficient. If anyone else has a way to get full results in the POST I am very interested.
did you get an answer for this? I am having the same problem and cant find anything here. Thanks
Thanks, I see the workaround of triggering the alert once per result. In such case it would increase the network traffic as we will have more number of search results (>100) and multiple webhooks will be configured of different types. Do you agree? Preferably I would think getting all the results set at once shot would help the receiving service to parse through and take necessary actions.
Thanks
Mathan J
If the results are interrelated, and the receiving service needs them all to handle them properly, then this is surely not a workaround.
And I agree that network traffic will increase, and the receiving service will be posted >100 times more often.
It is just that the webhook is more of an illustrative example of a custom alert action, suitable for specific, not all, cases.
See also the following questions I answered to myself...
https://answers.splunk.com/answers/351007/webhook-alert-action-why-am-i-unable-to-specify-a.html
https://answers.splunk.com/answers/351433/is-it-possible-to-use-a-configuration-stanza-in-we-1.html