Configure a webhook in Splunk

Configure webhook endpoints so that Splunk can use the endpoint to communicate with Incident Response.

Before you begin

  • Ensure you have created an account in Splunk.
  • Ensure you have configured field extractions in Splunk for all sources. For information on field extractions, see Field extractions for Splunk.

Role required: Responder, Manager, or Administrator

About this task

Note: While this integration with a third-party product is supported, the documentation here is based upon information provided by that third-party. More current information about the operation of that third-party’s system may be available from them directly.

Procedure

  1. Log in to the Splunk console.
    The Splunk homepage.
  2. On the navigation pane, click Search & Reporting.
    The Search page appears.
    The search page on Splunk.
  3. In the Search field, enter the search criteria from the source to create an alert and press the Enter key on your keyboard.
    You will see the search result.
    Enter the search criteria for source.
  4. From the Save As menu, select Alert.
    The Alert option.

    The Save As Alert form appears.

    The Save As Alert form.

  5. On the form, fill in the fields.
    Field Description
    Title Title of the alert.
    Description Brief description about the alert.
    Permissions Sharing preferences for the alert.
    Alert Type Alert type definition that is based on alert search timing. Depending on the scenario, you can configure timing, triggering, and other behavior for either alert type. There are two alert types: Scheduled and Real-time.
    Expires Lifespan of the triggered alert. The lifespan is how long you can access the result of triggered alert.
    Trigger Conditions
    Trigger alert when Conditions that triggers the alert.
    Trigger Alert notification frequency.
    Throttle Option to suppress alert triggering for a specific time period.

    Alerts can trigger frequently because of similar search results or scheduling.

    Trigger Actions Channel through which you want to get notification regarding the alert.

    Perform the following actions:

    1. Click + Add Actions and select Webhook.Search for webhook in the trigger action options.
    2. In the URL field, enter the webhook link.

      For more information on how to generate a webhook URL, see Create a webhook endpoint for Splunk.

    Enter webhook URL.
  6. Click Save.