Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I view Webhook content in Splunk?

BryanScovill
Explorer
‎10-10-2018 10:35 AM

We're struggling a bit with trying to use Webhooks instead of custom scripts in our alerts. Just as a simple test, we've created an alert to generate a post to one of our systems and instead of the JSON, all we appear to receive is "1". Are there any suggestions regarding the best way to test the received data? Is there anywhere that the payload is logged on the search head? I can see in the splunkd.log the event, but not the content...

10-10-2018 09:51:08.880 -0400 INFO  sendmodalert - action=webhook STDERR -  Sending POST request to url=https://redacted.supercool.address/test with size=5043 bytes payload

The STDERR in there does raise my eyebrows.

Any guidance would be appreciated.

Tags (1)
0 Karma
Reply

tgendron_splunk
Splunk Employee
Splunk Employee
‎10-17-2018 11:54 AM

Hi Bryan,

One way to test connectivity is to use the webhook.site as a test end point. That site will provide a url that you can POST to and see if it gets there. Here is an example using curl.

curl -X POST -H 'Content-Type: application/json' --data '{"username":"foo", "password":"bar"}' https://webhook.site/40767741-9583-4cc6-8934-163ffab666ef
Nice Job!

The URL was generated by the webhook.site which makes it easy to copy and paste as above. I set it up to return the Nice Job! result string. I did nothing else other then that.

On the webhook.site you will see the json data displayed along with some connectivity meta-data. If the curl example works, then the same URL will work with an alert. I tested it and conformed it. The json doc sent by the alert looks like this on the webhook site.

I just pasted the URL into the form for creating a webhook in the Splunk UI.

Here is the result shown at the URL endpoint on the webhook.site.

{
"owner": "admin",
"app": "search",
"sid": "rt_scheduler_adminsearchRMD5c915be116e89b766_at_1539791034_150.118",
"search_name": "my_alertTest2",
"results_link": "http://shd1:8000/app/search/@go?sid=rt_scheduleradminsearchRMD5c915be116e89b766_at_1539791034_150.118",
"result": {
"date_minute": "13",
"timestartpos": "0",
"_raw": "2018-10-17 18:13:13 127.0.0.2 22 127.0.0.12 2200 tomg 4624 - \"login success\" - - -",
"_serial": "2",
"_sourcetype": "mytransform:alerts",
"date_zone": "local",
"index": "alert_test",
"sourcetype": "mytransform:alerts",
"date_second": "13",
"date_month": "october",
"punct": "--::......__-\"\"---",
"source": "/var/tmp/alert_sample.log",
"host": "ufd1",
"_confstr": "source::/var/tmp/alert_sample.log|host::ufd1|mytransform:alerts",
"date_hour": "18",
"date_wday": "wednesday",
"_kv": "1",
"_si": [
"idx1",
"alert_test"
],
"date_mday": "17",
"_indextime": "1539799995",
"splunk_server": "idx1",
"date_year": "2018",
"_time": "1539799993",
"timeendpos": "20"
}
}

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...