Alert in Telegram and Slack in real time. Or How to Make an Alert in Splunk - Part 2
We continue the alert topic in Splunk. Earlier we talked about how to set up sending email alerts, and today we will show you how to send notifications to instant messengers such as Telegram and Slack.
In the article you will find step by step instructions on how to set up.
We will analyze both cases using the example of an alert about unsuccessful attempts to authenticate when entering Splunk (We wrote about how to create such an alert in the previous article ). The log on which the request for the alert is based is recorded and indexed automatically and is available to all who have Splunk. Therefore, even if you currently have no current task for alerts, then you can test everything with the same example as ours. If you do not have Splunk and you do not know what it is, why you need it and how to install it, then you can read what we have written about it earlier .
To each alert, you can add actions for its implementation. By default, Splunk has notification capabilities in Splunk itself, writing an event to another index, writing to a directory, sending a message by e-mail or launching a custom script.
To send messages to the messengers, we will need to install several free applications.
')
1. Download the Telegram Alert Action application from the SplunkBase website at the following link
2. Install the application
3. Now we can add Telegram-action to our alert.
“Search & Reporting” - “Alerts” - “Edit” - “Edit Alert” - “Add Actions” - “Telegram Alert”
As we see, to send a message, we need a Bot ID and Chat ID , if you already have them, then you are already at the finish line, and if not, then let's create our own bot.
5. Fill in all fields in the Telegram Alert. A dollar sign denotes tokens that carry information from the request and the request to the message. You can read more about tokens here .
6. Receive notification in Telegram
1. Download the Telegram Alert Action application from the SplunkBase website at the following link
2. Install the application. (The installation process is described above)
3. At the end of the installation, the application will ask for the Webhook URL .
4. To get the Webhook URL , go to the “ Slacks” section in Slack - find the Incoming WebHooks application - “Install” - “Add configuration” .
5. Select a channel from the drop-down list to which notifications will come (or create a new one). This can be a general channel or personal messages to some user. Next, click on the button "Add Incoming Webhooks Integration".
6. Get the webhook URL that needs to be specified in Splunk
7. Add a new action to our alert: “Search & Reporting” - “Alerts” - “Edit” - “Edit Alert” - “Add Actions” - “Slack” , indicating the name of the channel in which we set up the integration.
8. Receive notification in Slack
Thus, we set up alerts from Splunk to Telegram and Slack messengers, which will allow you to always be aware of what is happening in your IT systems and keep your finger on the pulse.
We are happy to answer all your questions and comments on this topic. Also, if you are interested in something specifically in this area, or in the field of machine data analysis in general, we are ready to refine the existing solutions for you, for your specific task. To do this, you can write about it in the comments or simply send us a request through the form on our website .
On June 28, 2018, “ Splunk Getting Started ” will be taught in Moscow , where in 6 hours the participants will receive a theoretical base and practical skills for working in Splunk. Learn more about learning and register at this link .
In the article you will find step by step instructions on how to set up.
We will analyze both cases using the example of an alert about unsuccessful attempts to authenticate when entering Splunk (We wrote about how to create such an alert in the previous article ). The log on which the request for the alert is based is recorded and indexed automatically and is available to all who have Splunk. Therefore, even if you currently have no current task for alerts, then you can test everything with the same example as ours. If you do not have Splunk and you do not know what it is, why you need it and how to install it, then you can read what we have written about it earlier .
To each alert, you can add actions for its implementation. By default, Splunk has notification capabilities in Splunk itself, writing an event to another index, writing to a directory, sending a message by e-mail or launching a custom script.
To send messages to the messengers, we will need to install several free applications.
')
Telegram
1. Download the Telegram Alert Action application from the SplunkBase website at the following link
2. Install the application
(If you do not know how to do this, then open this item)
- Go to Splunk Enterprise;
- In the application menu, click on the icon Manage Apps (blue gear);
- Click Install app from file ;
- Select the file we just downloaded;
- Click Upload ;
- Reboot Splunk;
3. Now we can add Telegram-action to our alert.
“Search & Reporting” - “Alerts” - “Edit” - “Edit Alert” - “Add Actions” - “Telegram Alert”
As we see, to send a message, we need a Bot ID and Chat ID , if you already have them, then you are already at the finish line, and if not, then let's create our own bot.
4. Get Bot ID and Chat ID
- To get a Bot ID, please contact the @BotFather bot with a request to create a new bot (/ newbot command)
- Enter the name of your bot and name (the name must end in "bot")
- Open a dialogue with your created bot and write an arbitrary message to it.
- Open the link in the browser, replacing <bot_id> with the received identifier api.telegram.org/bot <bot_id> / getUpdates
- In the received json-answer, find the value in the parameter “id” this is the Chat ID
5. Fill in all fields in the Telegram Alert. A dollar sign denotes tokens that carry information from the request and the request to the message. You can read more about tokens here .
Message: . : $result.time$ : $result.src$ : $result.user$ : $result.action$ : $result.info$
Severity: High
Chat ID: chat_id
Bot ID: bot_id6. Receive notification in Telegram
Slack
1. Download the Telegram Alert Action application from the SplunkBase website at the following link
2. Install the application. (The installation process is described above)
3. At the end of the installation, the application will ask for the Webhook URL .
4. To get the Webhook URL , go to the “ Slacks” section in Slack - find the Incoming WebHooks application - “Install” - “Add configuration” .
5. Select a channel from the drop-down list to which notifications will come (or create a new one). This can be a general channel or personal messages to some user. Next, click on the button "Add Incoming Webhooks Integration".
6. Get the webhook URL that needs to be specified in Splunk
7. Add a new action to our alert: “Search & Reporting” - “Alerts” - “Edit” - “Edit Alert” - “Add Actions” - “Slack” , indicating the name of the channel in which we set up the integration.
8. Receive notification in Slack
Conclusion
Thus, we set up alerts from Splunk to Telegram and Slack messengers, which will allow you to always be aware of what is happening in your IT systems and keep your finger on the pulse.
We are happy to answer all your questions and comments on this topic. Also, if you are interested in something specifically in this area, or in the field of machine data analysis in general, we are ready to refine the existing solutions for you, for your specific task. To do this, you can write about it in the comments or simply send us a request through the form on our website .
PS
On June 28, 2018, “ Splunk Getting Started ” will be taught in Moscow , where in 6 hours the participants will receive a theoretical base and practical skills for working in Splunk. Learn more about learning and register at this link .
Source: https://habr.com/ru/post/351798/
All Articles