Alert notification on Slack and Email
You can configure Splunk to send alert notification to a Slack channel or through and email.
Slack
Prerequisites:
-
The Slack app should already be installed in your Splunk setup.
-
Connect Slack and Splunk using webhooks. For more information on Slack webhooks, see Incoming Webhooks
Complete the following steps to create an alert for Slack:
-
Navigate to Settings ̶> Searches, reports and alerts
Alert should be created for App: Search & Reporting(search) -
Create new alerts.
Enter the values as described in the table below:
Value Description Description
PingIntelligence for APIs Alert
Search
Search: index="pi_events"
sourcetype="pi_events_source_type"
access_type="attack"
Alert Type
Scheduled → Run on Cron Schedule
Cron Expression
*/10 * * * *
Time Range
600
Expires
24-hours
Trigger alert when
The alert should be triggered for results when greater than 0
Trigger
For each result. This would trigger a new alert for each event.
Throttle
Do not throttle the events
-
Configure alert.
Value Description Add Actions
Choose the slack app to add actions
Channel
Use the channel which has been configured with webhook URL which starts with either # or @
In this example, we are using channel name as:
#PingIntelligence_alerts
Message
This is the message that will be posted along with the alert in Slack. We recommend using the below message:
------------------------------------------------------- $result.attack_type$ has been detected on API: $result.api_name$ ----------------------------------------------------------------- More details :
$result._raw$
Attachments
NA
Fields
NA
Webhook URL
NA
-
Post a message in Splunk to verify that it is notified in Slack