Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is it possible to have an alert action be a POST to an external REST API and use macros for fields within the alert event?

jodros
Builder
‎11-03-2015 07:51 AM

Is it possible to have an alert action be a POST to an external REST API and use macros for fields within the alert event?

Thanks

0 Karma
Reply

frobinson_splun
Splunk Employee
Splunk Employee
‎11-03-2015 10:13 AM

Hi @jodros,
If you are using the latest version of Splunk software, I would suggest taking a look at the webhook alert action. Here is some documentation about it:
http://docs.splunk.com/Documentation/Splunk/6.3.0/Alert/Webhooks

Webhooks can POST information from an alert to an external web resource.

Hope this helps! Let me know if you need other suggestions.
All best,
@frobinson_splunk

Reply

jodros
Builder
‎11-03-2015 11:43 AM

George, I heard you talk at Splunk Live ATL. Were you the one with the quarantine integration on IPS for bad actors? If so, could we talk off list?

0 Karma
Reply

starcher
Influencer
‎11-03-2015 11:45 AM

Yup that is me. That code is represented in the repo. Though I do need to redo all this in the new alert framework as mentioned by frobinson above in the comments. george@georgestarcher.com will reach me.

0 Karma
Reply

jodros
Builder
‎11-03-2015 11:27 AM

I saw this as a new feature with 6.3 and will test. However based on my reading it doesn't look to be very configurable or support the macros I would want: source and/or destination IP, source and/or destination port, etc.

Reply

frobinson_splun
Splunk Employee
Splunk Employee
‎11-03-2015 11:42 AM

Understandable. Depending on your use case, you can also build a custom alert action:
http://docs.splunk.com/Documentation/Splunk/6.3.0/AdvancedDev/ModAlertsIntro

0 Karma
Reply

jodros
Builder
‎11-03-2015 11:36 AM

Thanks starcher. I figured it would probably come down to a python script, but I am not a very strong script writer. I will try to research a bit and see what I can find to create a script for this sort of integration.

0 Karma
Reply

starcher
Influencer
‎11-03-2015 11:41 AM

You can use my code as a model/base. It is MIT license so you are free to use it how you wish. With the only restriction of don't blame me if you don't like it 😃

0 Karma
Reply

starcher
Influencer
‎11-03-2015 11:31 AM

You can always make your own python code and send in the results in a table csv for it to act on. Similar to what I do here: https://github.com/georgestarcher/Splunk-Alert/tree/master/XARF Not GUI simple but works.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...