Getting Data In

Is it possible to use a configuration stanza in webhook URL? e.g. https://`stanza[service_url]`?disposition=1&auth=`stanza[auth_token]`

ramabu
Path Finder

I am sure this is not an existing syntax 🙂 and yet - is it possible to encode such URL-s?

======================

Feb 10th:

So I will sort of repeat the question:

If I POST to e.g. https://10.41.1.136/splunk/alerts?disposition=3&auth=MyApp%20206eb5cb3c-5c70-4cb7-8844-5a0407a43ca7, then everything works fine.

But '10.41.1.136' and '206eb5cb3c-5c70-4cb7-8844-5a0407a43ca7' actually configurable for the app. Is it possible to save the search in a "formal" format, and have actual values replace the formal ones upon alert being triggered?
I did see how to reference a result field, but it's is not useful in this case.

Thanks
rama

0 Karma
1 Solution

ramabu
Path Finder

It appears that it is not possible,
But there are alternatives.

It would involve creating a custom alert action, which is actually a one-alert-app.
Once installed correctly, it shows in the list of actions in 'add actions', have a user interface, and more.
Using it, one can have the user explicitly state the required input for the action to complete successfully.

Its all here http://docs.splunk.com/Documentation/Splunk/6.3.3/AdvancedDev/ModAlertsIntro
However, I could not follow the explanation until I read it from the perspective of it being a separate add-on.

I also tried to run a python script instead of a webhook. This option is smooth, but the script has to work out the required data by parsing the attached results, which can be quite challenging; with the webhook, the "fielded" result is attached in JSON

View solution in original post

ramabu
Path Finder

It appears that it is not possible,
But there are alternatives.

It would involve creating a custom alert action, which is actually a one-alert-app.
Once installed correctly, it shows in the list of actions in 'add actions', have a user interface, and more.
Using it, one can have the user explicitly state the required input for the action to complete successfully.

Its all here http://docs.splunk.com/Documentation/Splunk/6.3.3/AdvancedDev/ModAlertsIntro
However, I could not follow the explanation until I read it from the perspective of it being a separate add-on.

I also tried to run a python script instead of a webhook. This option is smooth, but the script has to work out the required data by parsing the attached results, which can be quite challenging; with the webhook, the "fielded" result is attached in JSON

Get Updates on the Splunk Community!

Unlock New Opportunities with Splunk Education: Explore Our Latest Courses!

At Splunk Education, we’re dedicated to providing top-tier learning experiences that cater to every skill ...

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...