Splunk Slack
Webhooks allow you to define custom callbacks on a particular web resource. For instance, you can set up a webhook to make an alert message pop up in a chat room or post a notification on a web page. When an alert triggers, the webhook makes an HTTP POST request on the URL. The webhook passes JSON formatted information about the alert in the body of the POST request.
When you set up a webhook alert, you must get the hook URL from the target source. For example, if you want to post a webhook alert to a Slack room, you must follow Slack's webhook instructions to get the correct URL to use. You can test that webhooks are triggering by using a webhooks testing site such as https://webhook.site.
Slack also announced a Splunk App for Slack. This will ingest activity from Slack's audit logs directly into Splunk to visualize and analyze data in ready-to-use dashboards, including logins, file. Ideally I'd like slack to send a 'screenshot' so to speak of a dashboard so people could get a quick eye on how a platform is doing without needed to log into splunk. Splunk undertakes no obligation either to develop the features or functionalities described or to include any such feature or functionality in a future release. The Slack Add-on for Splunk uses the Slack Audit Logs API to fetch Slack Enterprise Grid Audit Logs into Splunk. Getting Started The Audit Logs API is for monitoring the audit events happening in an Enterprise Grid organization to ensure continued compliance, to safeguard against any inappropriate system access, and to allow you to audit.
Webhook data payload
The webhook POST request's JSON data payload includes the following details.
- Search ID or SID for the saved search that triggered the alert
- Link to search results
- Search owner and app
- First result row from the triggering search results
Example
Splunk Slack Message Formatting
Depending on the webhook scenario, you can configure data payload handling on the resource receiving the POST.
Configure a webhook alert action
Splunk Search Basics
Set up a webhook when selecting alert actions for an alert.
- You can configure the webhook action when creating a new alert or editing an existing alert's actions. Follow one of the options below.
Option Steps Create a new alert From the Search page in the Search and Reporting app, select Save As > Alert. Enter alert details and configure triggering and throttling as needed. Edit an existing alert From the Alerts page in the Search and Reporting app, select Edit>Edit actions for an existing alert.
- From the Add Actions menu, select Webhook.
- Type a URL for the webhook.
- Click Save.
| PREVIOUS Use tokens in email notifications | NEXT Output results to a CSV lookup |
Splunk Slack Webhook
Splunk Slack
This documentation applies to the following versions of Splunk® Enterprise: 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.1.0, 8.0.8, 8.0.9, 8.1.1, 8.1.2, 8.1.3