Alerting

How to get Splunk Webhook Alert actions to send entire search results as JSON payload?

Mathanjey
Explorer

Hi,

I had a sample test on the Splunk Webhook Alert action and it seems the webbhook sends the first result from the search results. Is there a way to send the entire search results as JSON payload?

Thanks
Mathan J

1 Solution

ramabu
Path Finder

I don't know that it is possible to get them all in a single trigger.
What I did in a similar case, is I triggered the alert once per result. Can this work for you?

If not, then you can probably write a custom_alert_action to do that. Not sure about the details, but they are here: http://docs.splunk.com/Documentation/Splunk/6.3.3/AdvancedDev/ModAlertsIntro

Reading this, keep in mind that a custm-alert-action is a one-alert-app, sort of, that plugs into the 'Add Actions' drop down, and has its own setup, triggering dialog, icon, script, etc.

View solution in original post

0 Karma

cb_usps
Explorer

When setting up your own Custom Alert Action, the payload should have an entry to the search results directly:

<results_file>%your_splunk_path%/var/run/splunk/dispatch/scheduler__admin_%a_hash_value%/tmp_0.csv.gz</results_file>

As ramabu already listed, here are the docs, http://docs.splunk.com/Documentation/Splunk/6.3.3/AdvancedDev/ModAlertsIntro

0 Karma

ramabu
Path Finder

I don't know that it is possible to get them all in a single trigger.
What I did in a similar case, is I triggered the alert once per result. Can this work for you?

If not, then you can probably write a custom_alert_action to do that. Not sure about the details, but they are here: http://docs.splunk.com/Documentation/Splunk/6.3.3/AdvancedDev/ModAlertsIntro

Reading this, keep in mind that a custm-alert-action is a one-alert-app, sort of, that plugs into the 'Add Actions' drop down, and has its own setup, triggering dialog, icon, script, etc.

0 Karma

Mathanjey
Explorer

Got a solution to get all the results. We actually took slightly a different route to fit our requirements.

We still plan to use the Out of the box Webhook which will be triggered on a certain condition followed by a web service is exposed to receive the alert.

With the web service we get the first result from the payload, in addition we also get the search id.

Having the search id , we got a way to call the REST API that returns the complete search results in XML, based on which we can parse ..etc.

Sample REST API URL : https://SplunkServer:port/services/nobody/applicaitonname/search/jobs/Searchid_from_webhook/results_...

Thanks
Mathan J

tavor999
New Member

Thanks for the answer. I had really hoped there was a better solution to get POST with the full results. This is very inefficient. If anyone else has a way to get full results in the POST I am very interested.

0 Karma

maximusdm
Communicator

did you get an answer for this? I am having the same problem and cant find anything here. Thanks

0 Karma

Mathanjey
Explorer

Thanks, I see the workaround of triggering the alert once per result. In such case it would increase the network traffic as we will have more number of search results (>100) and multiple webhooks will be configured of different types. Do you agree? Preferably I would think getting all the results set at once shot would help the receiving service to parse through and take necessary actions.

Thanks
Mathan J

0 Karma

ramabu
Path Finder

If the results are interrelated, and the receiving service needs them all to handle them properly, then this is surely not a workaround.

And I agree that network traffic will increase, and the receiving service will be posted >100 times more often.

It is just that the webhook is more of an illustrative example of a custom alert action, suitable for specific, not all, cases.

See also the following questions I answered to myself...
https://answers.splunk.com/answers/351007/webhook-alert-action-why-am-i-unable-to-specify-a.html
https://answers.splunk.com/answers/351433/is-it-possible-to-use-a-configuration-stanza-in-we-1.html

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...