Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Alerting
- :
- Need to send JSON structure from query results tri...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi there, I have an Splunk Alert which runs a query that returns a TABLE with 10 fields.
I need to send that data in a JSON structure to a Restful API which will read the JSON data and will parse it properly.
Is there a sample out there or solution for this? thank you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I believe what you need is to setup webhook as alert action which can do POST to an external REST API endpoint. Have a look at this. (available in Splunk 6.3+)
http://docs.splunk.com/Documentation/Splunk/6.3.0/Alert/Webhooks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I believe what you need is to setup webhook as alert action which can do POST to an external REST API endpoint. Have a look at this. (available in Splunk 6.3+)
http://docs.splunk.com/Documentation/Splunk/6.3.0/Alert/Webhooks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi there, that does not seem to return the query results. That is what I need 😞
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've not used it personally but it seems that the payload it sends contains the first row of the search result. How many search results that you get?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
correct it sends only the first row. I am using Alert mode: Once Per Result though.
I changed that to Once Per Search and instead of receiving 5 emails I get 1 email with all results.
However Webnook still sends only the first row. so it is useless for me. 😞
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hmmm. Then a custom script might be a better option. May be in Python which can use search results (available in compression file, file path is sent to alert script as parameters) to generate necessary json (should be some libraries to do that) and send it to destination URL.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
