Splunk Webhook request format

[atc0005]

Per the Splunk Enterprise Alerting Manual, this is the format of the received POST request:

{

	"result": {
		"sourcetype" : "mongod",
		"count" : "8"
	},
	"sid" : "scheduler_admin_search_W2_at_14232356_132",
	"results_link" : "http://web.example.local:8000/app/search/@go?sid=scheduler_admin_search_W2_at_14232356_132",
	"search_name" : null,
	"owner" : "admin",
	"app" : "search"
}

Webhook data payload

The webhook POST request's JSON data payload includes the following details.

Search ID or SID for the saved search that triggered the alert
Link to search results
Search owner and app
First result row from the triggering search results

[atc0005]

I suspect that API keys are not natively supported, so the web app would likely have to key off of expected data and/or the expected source IP to help prevent abuse.

I'd guess that sid and maybe the search_name values could be used for this.

[atc0005]

Thanks to Matt Holt, the JSON format would be matched to this Go struct:

type AutoGenerated struct {
	Result struct {
		Sourcetype string `json:"sourcetype"`
		Count      string `json:"count"`
	} `json:"result"`
	Sid         string      `json:"sid"`
	ResultsLink string      `json:"results_link"`
	SearchName  interface{} `json:"search_name"`
	Owner       string      `json:"owner"`
	App         string      `json:"app"`
}

refs https://mholt.github.io/json-to-go/

[atc0005]

Some additional notes:

• https://docs.splunk.com/Documentation/Splunk/8.0.1/Alert/Webhooks
• https://answers.splunk.com/answers/732218/how-to-configure-post-request-using-webhook-as-an.html
  • this discussion seems to suggest that you can provide Splunk a Basic Authentication credential pair (username/password) to use when submitting to a webhook URL.
  • I did not find any references to a username/password (or Basic Authentication) in the official documentation
• https://answers.splunk.com/answers/448272/using-webhook-as-an-alert-action-can-webhook-retry.html
  • retry support is not available for webhook requests submitted by Splunk; we would have to rely on the alert triggering again (probably another good reason to have the alert run every 10-15 minutes vs every 60 minutes)
• https://answers.splunk.com/answers/351007/webhook-alert-action-why-am-i-unable-to-specify-a.html
  • Answer from this thread: No headers: That's by definition. The built-in webhook.py is for simple, no-header no-auth, interactions. As to 'once-per-result" - yes, The single result attached to the webhook is each actual result out of the result set.
• https://answers.splunk.com/answers/787706/splunk-alert-action-ansible-playbook.html
  • https://docs.splunk.com/Documentation/Splunk/latest/AdvancedDev/CustomAlertConvertScripted
    • custom scripts can be used (e.g., Ansible Playbook) for alert action
• https://answers.splunk.com/answers/748592/custom-alert-action-arguments.html
  • custom Python script to receive JSON payload and take action
  • not likely needed for this work
• https://answers.splunk.com/answers/766271/splunk-webhook-alert-how-to-send-entire-search-res-1.html
  • discussion around sending entire result set, consensus is that this isn't supported (which honestly is probably a good default to protect against getting a million results for a search)

[atc0005]

Note to self:

• Setup small demo CLI app to generate Splunk-compatible webhook requests against a target URL
• Setup small demo API to receive ...

This should help with local testing.

[atc0005]

https://gist.github.com/ungoldman/11282441

From that gist:

$ curl -X POST -H "Content-Type: application/json" -d @FILENAME DESTINATION

[atc0005]

• Setup small demo API to receive ...

The https://github.com/atc0005/bounce project can serve as a starting point for this with the result being a small endpoint specific to this project (e.g., lack of auto-index landing page, added support for filtering out unwanted fields from search result payloads).