Configure a webhook in Splunk
Configure webhook endpoints so that Splunk can use the endpoint to communicate with Incident Response.
Before you begin
- Ensure you have created an account in Splunk.
- Ensure you have configured field extractions in Splunk for all sources. For information on field extractions, see Field extractions for Splunk.
Role required: Responder, Manager, or Administrator
About this task
Log in to the Splunk console.
On the navigation pane, click Search &
The Search page appears.
In the Search field, enter the search criteria from the
source to create an alert and press the Enter key on your keyboard.
You will see the search result.
From the Save As menu, select Alert.
The Save As Alert form appears.
On the form, fill in the fields.
Field Description Title Title of the alert. Description Brief description about the alert. Permissions Sharing preferences for the alert. Alert Type Alert type definition that is based on alert search timing. Depending on the scenario, you can configure timing, triggering, and other behavior for either alert type. There are two alert types: Scheduled and Real-time. Expires Lifespan of the triggered alert. The lifespan is how long you can access the result of triggered alert. Trigger Conditions Trigger alert when Conditions that triggers the alert. Trigger Alert notification frequency. Throttle Option to suppress alert triggering for a specific time period.
Alerts can trigger frequently because of similar search results or scheduling.
Trigger Actions Channel through which you want to get notification regarding the alert.
Perform the following actions:
- Click + Add Actions and select Webhook.
- In the URL field, enter the
For more information on how to generate a webhook URL, see Create a webhook endpoint for Splunk.
- Click Save.