Alert in Telegram and Slack in real time. Or how to make Alert in Splunk - Part 2
- Tutorial
We continue the topic of alert in Splunk. Earlier we talked about how to set up sending notifications by e-mail , but today we will show you how to send notifications to instant messengers such as Telegram and Slack.
In the article you will find step-by-step instructions for setting up.
We will analyze both cases using the alert as an example of unsuccessful authentication attempts when entering Splunk (We wrote about how to create such an alert in a previous article
) The log on which the request for the alert is based is recorded and indexed automatically and is available to everyone who has Splunk. Therefore, even if you currently do not have an urgent task for alerts, you can test everything using the same example as ours. If you don’t have Splunk and you don’t know what it is, why it is needed and how to install it, then you can read what we wrote about this earlier .
You can add actions to each alert when it is implemented. By default, Splunk has the ability to notify Splunk itself, record an event in another index, write to a directory, send an email, or launch a custom script.
To send messages to instant messengers, we will need to install several free applications.
1. Download the Telegram Alert Action application from the SplunkBase website at the following link
2. Install the application
3. Now we can add a Telegram action to our alert.
“Search & Reporting” - “Alerts” - “Edit” - “Edit Alert” - “Add Actions” - “Telegram Alert”
As we can see, to send a message we need Bot ID and Chat ID , if you already have them, then you are already at the finish line, and if not, then let's create our own bot.
5. Fill in all the fields in the Telegram Alert. The dollar sign denotes tokens that carry information from the request and the request into the message. You can read more about tokens at the link . 6. We receive a notification in Telegram
1. Download the Telegram Alert Action application from the SplunkBase website at the following link
2. Install the application. (The installation process is described above)
3. At the end of the installation, the application will ask you to specify the Webhook URL .
4. To get the Webhook URL, you need to go to the “Apps” section in Slack - find the Incoming WebHooks application - “Install” - “Add configuration” .
5. Select the channel to which notifications will come from the drop-down list (or create a new one). This can be a general channel or private messages to some user. Next, click on the "Add Incoming Webhooks Integration" button . 6. Get Webhook URL
, which must be specified in Splunk
7. Add a new action to our alert: “Search & Reporting” - “Alerts” - “Edit” - “Edit Alert” - “Add Actions” - “Slack” , indicating the name of the channel in which we set up integration.
8. We receive a notification in Slack
Thus, we set up alerts from Splunk to Telegram and Slack messengers, which will allow you to always be aware of what is happening in your IT systems and keep your finger on the pulse.
We are happy to answer all your questions and comments on this topic. Also, if you are interested in something specifically in this area, or in the field of machine data analysis in general, we are ready to modify the existing solutions for you, for your specific task. To do this, you can write about it in the comments or simply send us a request through the form on our website .
) The log on which the request for the alert is based is recorded and indexed automatically and is available to everyone who has Splunk. Therefore, even if you currently do not have an urgent task for alerts, you can test everything using the same example as ours. If you don’t have Splunk and you don’t know what it is, why it is needed and how to install it, then you can read what we wrote about this earlier .
You can add actions to each alert when it is implemented. By default, Splunk has the ability to notify Splunk itself, record an event in another index, write to a directory, send an email, or launch a custom script.
To send messages to instant messengers, we will need to install several free applications.
Telegram
1. Download the Telegram Alert Action application from the SplunkBase website at the following link
2. Install the application
(If you do not know how to do this, then expand this item)
- Go to Splunk Enterprise;
- In the application menu, click on the Manage Apps icon (blue gear);
- Click Install app from file ;
- Select the file we just downloaded;
- Click Upload ;
- Reboot Splunk;
3. Now we can add a Telegram action to our alert.
“Search & Reporting” - “Alerts” - “Edit” - “Edit Alert” - “Add Actions” - “Telegram Alert”
As we can see, to send a message we need Bot ID and Chat ID , if you already have them, then you are already at the finish line, and if not, then let's create our own bot.
4. Get Bot ID and Chat ID
- To obtain a Bot ID, refer to the @BotFather bot with the requirement to create a new bot (command / newbot)
- Enter the name of your bot and the name (the name must end with "bot")
- Open a dialogue with your created bot and write an arbitrary message to it
- Open the link in the browser, replacing
to the received identifier api.telegram.org/bot / getUpdates - In the received json response, find the value in the id parameter, this is Chat ID
5. Fill in all the fields in the Telegram Alert. The dollar sign denotes tokens that carry information from the request and the request into the message. You can read more about tokens at the link . 6. We receive a notification in Telegram
Message: Была совершена неудачная попытка входа. Время: $result.time$ Источник: $result.src$ Пользователь: $result.user$ Действие: $result.action$ Статус: $result.info$
Severity: High
Chat ID: Ваш chat_id
Bot ID: Ваш bot_id
Slack
1. Download the Telegram Alert Action application from the SplunkBase website at the following link
2. Install the application. (The installation process is described above)
3. At the end of the installation, the application will ask you to specify the Webhook URL .
4. To get the Webhook URL, you need to go to the “Apps” section in Slack - find the Incoming WebHooks application - “Install” - “Add configuration” .
5. Select the channel to which notifications will come from the drop-down list (or create a new one). This can be a general channel or private messages to some user. Next, click on the "Add Incoming Webhooks Integration" button . 6. Get Webhook URL
, which must be specified in Splunk
7. Add a new action to our alert: “Search & Reporting” - “Alerts” - “Edit” - “Edit Alert” - “Add Actions” - “Slack” , indicating the name of the channel in which we set up integration.
8. We receive a notification in Slack
Conclusion
Thus, we set up alerts from Splunk to Telegram and Slack messengers, which will allow you to always be aware of what is happening in your IT systems and keep your finger on the pulse.
We are happy to answer all your questions and comments on this topic. Also, if you are interested in something specifically in this area, or in the field of machine data analysis in general, we are ready to modify the existing solutions for you, for your specific task. To do this, you can write about it in the comments or simply send us a request through the form on our website .