Activity Feed
- Posted Re: Can't perform a GET action with this add-on on All Apps and Add-ons. 04-28-2020 12:31 AM
- Posted Re: Is there any documentation that can help with the actual format that should be followed for the fields defined in the HTTP Alert Action App? on All Apps and Add-ons. 11-21-2019 09:07 PM
- Posted Re: Cluster master in the cloud? on Deployment Architecture. 07-24-2019 10:59 PM
- Posted Re: How to monitor the HTTP Alert Action? on All Apps and Add-ons. 07-24-2019 05:22 PM
- Posted Re: How to monitor the HTTP Alert Action? on All Apps and Add-ons. 07-23-2019 06:49 AM
Topics I've Started
No posts to display.
04-28-2020
12:31 AM
@pwild_splunk Can you try setting the ingestion index. There was a bug where this option needed to be set even if it wasn't used.
I have a new version for Splunk 8 coming out soon™ that will fix this and a couple of other issues
... View more
11-21-2019
09:07 PM
I personally use the excellent RequestBin.com site to test all my config.
Endpoint = https://xxxxxxxxxxx.x.pipedream.net/
Query string params (optional) - Query string is commonly denoted keyvalues after a question mark. IE www.example.splunkcloud.com/en-GB/account/login?loginType=splunk. In this example loginType=splunk is a querystring.
Custom headers (optional) = These allow you to add custom headers. This is most commonly used for basic authentication.
Payload = If your search returns the fields Test & Source then you could specify source={source};test={test}. To send JSON in this version of the app. You must construct the JSON string in your SPL search
IE |eval json="{source:'".source."',test:'".test."'}"
and then reference that field
IE Payload = {json}
I admit this is clunky and would be hard to maintain for long JSON values; I'd suggest a purpose-built app if your JSON is complex or nested.
HTTP Method =POST
Ingest response to index = If you wish you ingest the response, specific the index here
Ingest Safety Max Size = This is the safety net to stop ingesting values greater than expected. If you don't want to ingest the response, set the value to 0
Should be able to identify errors with the following search. "index=_internal sourcetype=splunkd component=sendmodalert action="send_custom_rest_request"
... View more
07-24-2019
10:59 PM
Hi Jeremy,
The Splunk Validated Architectures document is great place to start with these kind of questions. If you truly need full HA between DCs you might need a multi-site cluster. This will allow you to specify how many copies of the data you want to keep in each site (DC). In the SVA, the examples start with 'M'.
That being said doing multi-site cluster with only 3 indexers is overkill so I'd question whether you truly need it. A normal clustered environment might better suit your requirements if you can accept the risk.
... View more
07-24-2019
05:22 PM
@mihenn Can you confirm whether adding the ingestion_safety fixed the issue?
... View more
07-23-2019
06:49 AM
Can you try setting the ingestion_safety variable. There's a known issue with version 1.1 which has been fixed in the yet to be released version 1.2
action.send_custom_rest_request.param.ingestion_safety_max_size = 0
... View more
