All Apps and Add-ons

No handler found warning for URL Receiver

serveshaun
New Member

I'm trying to do what I thought would be a fairly simple test with webhooks using the URL Receiver app but I get the following messages on the receiving indexer.

08-12-2016 07:35:12.669 -0400 INFO ExecProcessor - message from "/opt/splunk/etc/apps/urlreceiver/linux_x86_64/bin/urlreceiver" Incoming request on port=8091 -> method=POST uri=/webhook-test length=2875 from clientip=10.115.17.150:50634
08-12-2016 07:35:12.669 -0400 WARN ExecProcessor - message from "/opt/splunk/etc/apps/urlreceiver/linux_x86_64/bin/urlreceiver" No handler found for path=/webhook-test on port=8091

It looks like the test alert info is being sent from the search head to the indexer based on the first line but it doesn't get processed on the indexer because of the "No handler..." message in the second line. The URL is set the same in the alert and on the receiver as follows:

http://myindexer.domain.com:8091/webhook-test

I can't find documentation for this anywhere so any help would be appreciated.

0 Karma
1 Solution

Jeremiah
Motivator

The Webhook option under trigger actions comes from the built-in webhook alert action, not the URL receiver app. It's not related to receiving webhooks. Instead, it lets you send a webhook as an action on a scheduled search:

http://docs.splunk.com/Documentation/Splunk/6.4.2/Alert/Webhooks

In regards to the error you're seeing, I would not install the URL receiver app on your indexers. I would put it either on a search head or a forwarder. Then the search head/forwarder will send the data to your indexer just like any other splunk data.

The error you're seeing indicates that the path in the webhook doesn't exist in your URL receiver input. When you setup the URL receiver, did you configure the URL path to be "/webhook-test" ? The path you configure in your input needs to match the path you use when you send your webhook, or the URL receiver will drop the data.

https://splunkbase.splunk.com/app/1863/#/details

View solution in original post

Jeremiah
Motivator

The Webhook option under trigger actions comes from the built-in webhook alert action, not the URL receiver app. It's not related to receiving webhooks. Instead, it lets you send a webhook as an action on a scheduled search:

http://docs.splunk.com/Documentation/Splunk/6.4.2/Alert/Webhooks

In regards to the error you're seeing, I would not install the URL receiver app on your indexers. I would put it either on a search head or a forwarder. Then the search head/forwarder will send the data to your indexer just like any other splunk data.

The error you're seeing indicates that the path in the webhook doesn't exist in your URL receiver input. When you setup the URL receiver, did you configure the URL path to be "/webhook-test" ? The path you configure in your input needs to match the path you use when you send your webhook, or the URL receiver will drop the data.

https://splunkbase.splunk.com/app/1863/#/details

serveshaun
New Member

Jeremiah = Da Man!

Your question about the URL path triggered the fix. I had the path on the target box set exactly the same as the URL in the Webhook trigger action I set in the scheduled search on the search head. So it was like this in both locations:

http://mytargetbox.domain.com:4711/webhook-test

When it should have been that in the trigger action on the search head's scheduled search and just /webhook-test on the target box. Once I made those changes everything flowed as it should have and I can search on the data.

Much obliged for the help!

0 Karma

jkat54
SplunkTrust
SplunkTrust

Where did you install the app? My guess is that it should be installed on the indexers, not the search heads because it's an input.

0 Karma

serveshaun
New Member

I actually installed it on both the indexer and search head. After install on the search head it adds a "Webhook" option under Trigger Actions. On the indexer it adds a "URL-Receiver" option under local Data Inputs. I've configured the URL path the same on both but no dice.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...