Splunk Cloud Platform
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Using webhook alert to send to telegram

Raees
Explorer
‎03-06-2025 01:15 AM

Hi

I am trying to send an alert to Telegram from Splunk using the default webhooks as the Telegram alert action is no longer supported (https://splunkbase.splunk.com/app/4917).

Has anyone managed to get it working, there is no documentation on the Splunk site on using the webhook.

I am using the string below that works in a browser, but not in Splunk, so not sure how to format the string.

https://api.telegram.org/bot#########/sendMessage?chat_id=-########&text=test

Thanks

 

Labels (1)
Labels
0 Karma
Reply

livehybrid
Champion
‎03-06-2025 02:36 AM

Hi @Raees 

As previously mentioned, the Splunk inbuilt webhooks use a POST with a pretty non-configurable output.

You can use https://splunkbase.splunk.com/app/7450 which allows much more customisation.

Here is a working example.

livehybrid_0-1741257295773.png

 

I installed the app and created an alert action as below:

livehybrid_1-1741257307180.png

 

Put url as: https://api.telegram.org/bot<yourToken>/sendMessage

Payload:

{
"chat_id":"<yourChatID>",
"text": "$result.msg$"
}

This will send the value of the "msg" field from Splunk search, obviously you can update this and use more fields if required too.

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

 

0 Karma
Reply

kiran_panchavat
Influencer
‎03-06-2025 01:37 AM

@Raees 

Configure the webhook with the following details:

URL: https://api.telegram.org/bot<YourBotToken>/sendMessage 
HTTP Method: POST

Request Payload:

{
"chat_id": "<YourChatID>",
"text": "Alert: $result.message$"
}

Trigger Conditions: Set the conditions under which the alert should trigger.


Test the Webhook: Save the alert and test it to ensure that messages are being sent to your Telegram chat.

Here’s an example of how the webhook URL and payload might look:


{
"url": "https://api.telegram.org/bot123456789:ABCdefGHIjklMNOpqrSTUvwXYZ/sendMessage",
"method": "POST",
"payload": {
"chat_id": "-987654321",
"text": "Alert: $result.message$"
}
}

Make sure to replace <YourBotToken> and <YourChatID> with your actual bot token and chat ID.

 

 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply

Raees
Explorer
‎03-06-2025 01:54 AM

Thanks for the POST details, I don't see how all the info is supposed to be entered as there is only a field for the URL

Raees_0-1741254823884.png

 

0 Karma
Reply

kiran_panchavat
Influencer
‎03-06-2025 01:34 AM

@Raees 

Please check this 

https://docs.splunk.com/Documentation/Splunk/9.4.0/Alert/Webhooks 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply

kiran_panchavat
Influencer
‎03-06-2025 01:30 AM

@Raees 

The URL you provided (https://api.telegram.org/bot#########/sendMessage?chat_id=-########&text=test ) works in a browser because it’s a simple GET request. However, Splunk’s webhook alert action sends a POST request by default, and it expects a payload rather than just a URL with query parameters.
Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
Reply

Raees
Explorer
‎03-06-2025 01:39 AM

@kiran_panchavat Thank you, this helps, will look up how to send a POST request to Telegram

0 Karma
Reply

livehybrid
Champion
‎03-06-2025 01:45 AM

Hi @Raees 

Unfortunately the Inbuilt webhook POST sends a payload as below, which isnt possible to change the format of.

{

	"result": {
		"sourcetype" : "mongod",
		"count" : "8"
	},
	"sid" : "scheduler_admin_search_W2_at_14232356_132",
	"results_link" : "http://web.example.local:8000/app/search/@go?sid=scheduler_admin_search_W2_at_14232356_132",
	"search_name" : null,
	"owner" : "admin",
	"app" : "search"
}

I think this should be achievable with the https://splunkbase.splunk.com/app/4146 app - although possibly not as an alert action, but could be achieved by adding the necessary commands on the end of your SPL.

I will see if I can work together an example

PLease let me know if this helped by adding karma and/or accepting as an answer if this resolves the issue for you.

Reply

kiran_panchavat
Influencer
‎03-06-2025 01:45 AM

@Raees 

Sure, Please check. 

 
  • Splunk’s webhook alert action sends a POST request to a specified URL.
  • The payload is typically in JSON format, and you can customize it using tokens (e.g., $result.field$) to include alert details.
  • Telegram’s Bot API expects either a GET request with query parameters or a POST request with a JSON body.
Get Your Telegram Bot Token and Chat ID
 
You already seem to have these:
  • Bot Token: ######### (replace with your actual token from BotFather).
  • Chat ID: -######## (the ID of the group or chat, including the - for groups).
Set Up the Webhook in Splunk
 
  • In Splunk, go to Settings > Alert Actions > Webhook (or configure it as part of an alert).
URL: Use the Telegram API endpoint without query parameters 
https://api.telegram.org/bot<your-bot-token>/sendMessage
Replace <your-bot-token> with your actual bot token (e.g., https://api.telegram.org/bot123456:ABC-DEF1234ghIkl-zyx57W2v1u123ew11/sendMessage).
 
  • Custom Payload: Splunk allows you to define a JSON payload. Telegram expects chat_id and text as parameters. Here’s an example payload:

 

{
  "chat_id": "-########",
  "text": "Alert from Splunk: $result.message$"
}
  • Replace -######## with your actual chat ID.
  • $result.message$ is a placeholder for a field from your search results (adjust based on your data; common tokens include $result.sourcetype$, $result.host$, or $trigger_reason$).
Test the Webhook
 
  • Create a test alert in Splunk:
    • Go to Search, run a simple query (e.g., index=_internal | head 1).
    • Save it as an alert, set the trigger condition (e.g., number of results > 0), and choose the Webhook action.
    • Enter the URL and payload as described above.
  • Trigger the alert and check your Telegram chat for the message.

NOTE:- 

Ensure the payload is valid JSON and matches Telegram’s API expectations (see https://core.telegram.org/bots/api#sendmessage
If $result.message$ doesn’t work, replace it with a static string (e.g., "text": "Test alert") to verify the setup, then adjust the token.
 
Example Configuration
 
Payload:
 
{
  "chat_id": "-123456789",
  "text": "Splunk Alert: $result.host$ triggered an event at $trigger_time$"
}
 
Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top