PagerDuty App for Splunk: How to configure link fr...

mhaggerty55 · ‎03-17-2017

I’ve integrated pager duty and Splunk, and I’m successfully seeing alerts from Splunk in pager duty. However, when I go to an incident detail and click on “view in splunk,” I get an error saying “The site can’t be reached.”

I’ve noticed the hostname is wrong. It’s using splunk:8000 when it should be using my_splunk_hostname:8000.

Any ideas how I can configure the link? I've already asked PagerDuty support, but they suggested I ask here too.

bkrueger_splunk · ‎02-26-2018

You need to update the hostname setting under alert_actions.conf (If you don't have a local alert_actions.conf, create one and add the stanza & hostname setting below)

Should look like this:
[default]
hostname=your_hostname_here

Here is the link to the relevant docs
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Alertactionsconf?utm_source=answers&utm_med...

mattymo · ‎03-20-2017

My guess is that the alert action may not be sending the client_url string in the alert payload that Pagerduty need to build that link?

Splunk:8000 sounds like a default entry, perhaps check the script that the pager duty app has in its bin folder to see how it constructs the call to the pagerduty url? ( i will check in my lab and follow up)

https://v2.developer.pagerduty.com/docs/trigger-events

I believe pagerduty provides the option to view he raw payload, can you post an example?

Splunks alert action args contain a results url that should work here. Is your Splunk instance available to the internet?

- MattyMo

PagerDuty App for Splunk: How to configure link from PagerDuty incident to Splunk?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases