You can use an Alert Webhook to send alerts from Splunk Synthetic Monitoring to Splunk Web. You just need an API endpoint and session key associated with your Splunk Web instance.
Obtain a HEC authentication token and endpoint URI from Splunk Web
Before you create an alert webhook in Splunk Synthetic monitoring, you need to obtain a HEC authentication token and identify the ingest endpoint URI for your Splunk Web instance.
If you are using Splunk Cloud, do the following:
- Follow the steps described in Configure HTTP Event Collector on Splunk Cloud to create a HEC integration token. Copy the token value so you can paste it into your webhook configuration in step 4 below.
- See Send data to HTTP Event Collector on Splunk Cloud to learn about the standard HEC URL form for your Splunk Cloud instance. Save the webhook URL for use in step 6 below.
If you are using Splunk Enterprise, do the following:
- Follow the steps described in Configure HTTP Event Collector on Splunk Enterprise to create a HEC integration token. Copy the token value so you can paste it into your webhook configuration in step 4 below.
- See Send data to HTTP Event Collector on Splunk Enterprise to learn about the standard HEC URL form for your Splunk Cloud instance. Save the webhook URL for use in step 6 below.
Create a webhook using a Splunk Web HEC endpoint
To set up the webhook in Splunk Synthetic Monitoring, do the following:
- In Splunk Synthetic Monitoring, click on the three-dot Admin Tools menu and select Alert Webhooks.
- Click +New and select Custom. The New Custom Endpoint wizard opens.
- Under Name, provide a name for your webhook.
- Under Header, click +Add Request Header and type "Authorization" in the Authorization box. In the Value box, paste the authentication token for the Splunk API endpoint you are using. For more information about authentication tokens in Splunk Web, see Use Authentication Tokens in the Splunk documentation. The following is an example header:
"Authorization: Bearer <TOKEN VALUE>"
- Under Triggers, select a trigger for your notification (either "when failed" or "when back online") from the dropdown.
- Paste the Splunk Web HEC ingest endpoint url you identified in step 2 of the above section into the box that says Webhook URL.
- Click JSON to edit the JSON payload for the API request that will be sent upon the trigger event. For the Splunk HEC endpoint, you must add the "event" keyword to the payload, as in the following example:
{ "event": { "alert_url": "{{alert.rigor_url}}", "alert_status": "{{alert.status}}", "time": "{{alert.time}}", "color": "{{alert.color}}", "check_name": "{{check.name}} {{alert.status}}", "check_url": "{{check.rigor_url}}", "alert_description": "{{alert.description}}", "location": "{{alert.location}}", "screenshot_url": "{{alert.screenshot_url}}", "notified": "{{alert.notified}}" }, "sourcetype": "synthetics:notification:fail" }
- Edit the JSON as needed and then click Save. For more information about formatting events for the Splunk HEC endpoint, see Format events for HTTP Event Collector
- (optional) Under Triggers, repeat steps 6-8 for the other trigger option (either "when failed" or "when back online," whichever you did not use in the first trigger).
- Click Test test your webhook by sending a request to the API endpoint.
- Click Create to save the webhook.
Add your webhook to a check
You need to add your webhook to each check you want to send notifications from. To add your webhook to a check, do the following:
- Navigate to a check in Splunk Synthetic Monitoring, click the gear icon, and select Edit from the dropdown.
- Under Notify, select your new webhook from the dropdown. Use the second toggle menu to select your desired notification frequency.
- Click Save.
With the webhook set up, alerts from this check will trigger requests in Splunk Web.