Alerting
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Alerting
- :
- Need to send JSON structure from query results tri...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
maximusdm
Communicator
05-31-2017
01:41 PM
Hi there, I have an Splunk Alert which runs a query that returns a TABLE with 10 fields.
I need to send that data in a JSON structure to a Restful API which will read the JSON data and will parse it properly.
Is there a sample out there or solution for this? thank you
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
05-31-2017
02:30 PM
I believe what you need is to setup webhook as alert action which can do POST to an external REST API endpoint. Have a look at this. (available in Splunk 6.3+)
http://docs.splunk.com/Documentation/Splunk/6.3.0/Alert/Webhooks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
05-31-2017
02:30 PM
I believe what you need is to setup webhook as alert action which can do POST to an external REST API endpoint. Have a look at this. (available in Splunk 6.3+)
http://docs.splunk.com/Documentation/Splunk/6.3.0/Alert/Webhooks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
maximusdm
Communicator
06-02-2017
08:04 AM
hi there, that does not seem to return the query results. That is what I need 😞
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
06-02-2017
08:08 AM
I've not used it personally but it seems that the payload it sends contains the first row of the search result. How many search results that you get?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
maximusdm
Communicator
06-02-2017
09:27 AM
correct it sends only the first row. I am using Alert mode: Once Per Result though.
I changed that to Once Per Search and instead of receiving 5 emails I get 1 email with all results.
However Webnook still sends only the first row. so it is useless for me. 😞
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
06-02-2017
09:35 AM
Hmmm. Then a custom script might be a better option. May be in Python which can use search results (available in compression file, file path is sent to alert script as parameters) to generate necessary json (should be some libraries to do that) and send it to destination URL.
Get Updates on the Splunk Community!
Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...
This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...
Elevate Your Organization with Splunk’s Next Platform Evolution
Thursday, July 10, 2025 | 11AM PDT / 2PM EDT
Whether you're managing complex deployments or looking to ...
Splunk Answers Content Calendar, June Edition
Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...
