Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Using Webhook to send data to internal server?

st1
Path Finder
‎10-31-2025 07:18 AM

I'm trying to set up an open-source SOAR tool and need to get the results of a correlation search from Splunk. Using a webhook would a way to do this but is there any way have the webhook not reach out externally and then come back into the internal server where the SOAR is hosted?

 

The internal server is not externally exposed so this causes issue with the Splunk search head being able to reach the server. We are running Splunk on-prem. Thanks.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-03-2025 08:38 AM

This sounds like a name resolution problem. Is your internal server on a fixed (internal) ip address? If so, use that in your webhook. If not, presumably the address is registered in a local name server? If so, configure your DNS lookup to query that server first. Alternatively, you might be able to hard-code the address resolution in your hosts file (/etc/hosts for example).

View solution in original post

Reply
Solved! Jump to solution

livehybrid
SplunkTrust
SplunkTrust
‎10-31-2025 08:59 AM

Hi @st1 

You can use any webhook address you want for the webhook URL from your Splunk SH - Does your SOAR tool present a webhook endpoint that you can send to? If not you will need some sort of middle-man webhook system to forward the request.

Ultimately if the endpoint you are sending to is internal then you can use this and it therefore wouldnt go externally.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Reply
Solved! Jump to solution

st1
Path Finder
‎11-03-2025 08:29 AM

The SOAR tool does present a webhook but the since the tool is hosted on an internal only server, our Splunk server is trying to reach the webhook by resolving the webhook address externally. Is there a way to force Splunk to only resolve that webbook address internally is what I'm wondering? Without having to use a middleman service

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-03-2025 08:38 AM

This sounds like a name resolution problem. Is your internal server on a fixed (internal) ip address? If so, use that in your webhook. If not, presumably the address is registered in a local name server? If so, configure your DNS lookup to query that server first. Alternatively, you might be able to hard-code the address resolution in your hosts file (/etc/hosts for example).

Reply
Get Updates on the Splunk Community!

AI for AppInspect

We’re excited to announce two new updates to AppInspect designed to save you time and make the app approval ...

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

As we step into 2026, it’s the perfect moment to reflect on what an extraordinary year 2025 was for the Splunk ...

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Overview Enterprise Security 8.3 introduces a powerful new feature called “Entity Risk Scoring” (ERS) for ...