Alerting
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Alerting
- :
- Need to send JSON structure from query results tri...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
maximusdm
Communicator
05-31-2017
01:41 PM
Hi there, I have an Splunk Alert which runs a query that returns a TABLE with 10 fields.
I need to send that data in a JSON structure to a Restful API which will read the JSON data and will parse it properly.
Is there a sample out there or solution for this? thank you
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
05-31-2017
02:30 PM
I believe what you need is to setup webhook as alert action which can do POST to an external REST API endpoint. Have a look at this. (available in Splunk 6.3+)
http://docs.splunk.com/Documentation/Splunk/6.3.0/Alert/Webhooks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
05-31-2017
02:30 PM
I believe what you need is to setup webhook as alert action which can do POST to an external REST API endpoint. Have a look at this. (available in Splunk 6.3+)
http://docs.splunk.com/Documentation/Splunk/6.3.0/Alert/Webhooks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
maximusdm
Communicator
06-02-2017
08:04 AM
hi there, that does not seem to return the query results. That is what I need 😞
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
06-02-2017
08:08 AM
I've not used it personally but it seems that the payload it sends contains the first row of the search result. How many search results that you get?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
maximusdm
Communicator
06-02-2017
09:27 AM
correct it sends only the first row. I am using Alert mode: Once Per Result though.
I changed that to Once Per Search and instead of receiving 5 emails I get 1 email with all results.
However Webnook still sends only the first row. so it is useless for me. 😞
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
06-02-2017
09:35 AM
Hmmm. Then a custom script might be a better option. May be in Python which can use search results (available in compression file, file path is sent to alert script as parameters) to generate necessary json (should be some libraries to do that) and send it to destination URL.
Get Updates on the Splunk Community!
Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1
Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...
Dashboards: Hiding charts while search is being executed and other uses for tokens
There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...
Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...
This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
