mirror of
https://github.com/zulip/zulip.git
synced 2025-11-05 22:43:42 +00:00
e0acdfde0d
Add a webhook to create messages from Splunk search alerts. The search alert JSON includes the first search result and a link to view the full results. The following fields are used: * search_name - the name of the saved search * results_link - URL of the full search results * host - the host the search result came from * source - the source file on that host * _raw - the raw text of the logged event. The Zulip message contains: * search name * host * source * raw The destination stream and message topic are configurable: the default stream is "splunk" and the default topic "Splunk Alert". If the topic is not provided in the URL, the search name is used instead (truncated if too long. If a needed field is missing, a default value is used instead. Example: "Missing source" It is possible to configure a Splunk search to not include some values, so I've provided defaults rather than return an error for missing data. In practice, these fields are unlikely to be deliberately suppressed. Note: alerts are only available for Splunk servers using a valid trial, developer, or paid license. I've added tests for the normal case of one search result, the topic from the search name, and for a search missing one of the fields used. Tested using Splunk Enterprise 6.5.1. Fixes #3477
57 lines
1.8 KiB
HTML
57 lines
1.8 KiB
HTML
<p>
|
|
See your Splunk Search alerts in Zulip!
|
|
</p>
|
|
<p>
|
|
First, create the stream you'd like to use for Splunk notifications,
|
|
and subscribe all interested parties to this stream. We recommend the
|
|
stream name <code>splunk</code>, although you may choose another stream
|
|
if you prefer.
|
|
</p>
|
|
|
|
<p>
|
|
Next, in the Splunk search app, execute the search you'd like to alert on
|
|
and then save it as an alert:
|
|
</p>
|
|
|
|
<p>
|
|
<img src="/static/images/integrations/splunk/splunk_save_as_alert.png"/>
|
|
</p>
|
|
|
|
<p>
|
|
Name and configure your search in the "Settings" and "Trigger Conditions"
|
|
sections of the "Save As Alert" dialog box. In the "Trigger Actions" section,
|
|
click "Add Actions" and select "Webhook" to add a webhook action. Put the
|
|
Zulip Splunk webhook URL and your API key in the "URL" field, along with
|
|
your desired stream and (optional) topic name. If you do not specify a stream,
|
|
your messages will use the default stream `splunk`. If you do not specify a topic,
|
|
the name of the search is used (truncated to fit if needed.)
|
|
</p>
|
|
|
|
<p>
|
|
Example:
|
|
<code>{{ external_api_uri_subdomain }}/v1/external/splunk?api_key=abcde&stream=splunk&topic=alerts</code>
|
|
</p>
|
|
|
|
<p>
|
|
When you are done, it should look like this:
|
|
</p>
|
|
|
|
<p>
|
|
<img src="/static/images/integrations/splunk/splunk_configure_url.png"/>
|
|
</p>
|
|
|
|
<p>
|
|
Click Save to save the alert. You can create as many searches with alert
|
|
actions as you like, with whatever stream and topic you choose. Update your
|
|
webhook URL as appropriate for each one, and make sure the stream exists.
|
|
</p>
|
|
|
|
<p>
|
|
<b>Congratulations! You're done!</b><br/> When your search triggers an
|
|
alert, you'll see a notification like this:
|
|
</p>
|
|
|
|
<p>
|
|
<img class="screenshot" src="/static/images/integrations/splunk/splunk_message.png"/>
|
|
</p>
|