Re: Dashboard Webhooks to Splunk

sungod · ‎06-20-2023

I had a customer request to send alert webhooks into Splunk.

Couldn't find it documented, nor on this forum or Splunk's site, and searching only turned up a few people asking how to do it, I gave up and figured it out.

To save time if you ever need to do it...

Make sure Early API Access is enabled on the organization, this activates the "Add or edit webhook templates" feature on the Network-wide->Alerts page.

To start with, create a new template (I suggest start by copying the Meraki one), then edit it to add a Liquid header with this key...

Authorization

...and value...

Splunk {{ sharedSecret }}

...note that there's a space after Splunk.

Click 'generate preview' and you'll see...

{
  "Authorization": "Splunk "
}

Back to the Alerts page, add your receiver's Name, URL, Shared secret, and choose the payload template you just created.

Save and test.

DexterLaBora · ‎06-27-2023

Thanks @sungod for posting your solution. I'm glad you found the webhook templates, because this is exactly what they were made for.

I started writing a template for Splunk, but did not have a test environment to verify. Here is what I have created so far, but I would love some validation. This can then be shared on our github repo containing all of our open source webhook templates.

HTTP Server URL: https://mysplunkserver.example.com:8088/services/collector/event

sharedSecret set to your Splunk Token (i.e. `12345678-1234-1234-1234-1234567890AB`)

Splunk API Docs

Headers template

{
  "Authorization": "Splunk {{sharedSecret}}",
  "X-Splunk-Request-Channel":	"XXXXXX"
}

Body template

{
  "time":{{sentAt | date:"%s"}},
  "host": "api.meraki.com",
  "source": "{{networkName}}",
  "sourceType":"main",
  "event" : {
    "sentAt": "{{sentAt}}",
    "organizationId": "{{organizationId}}",
    "organizationName": "{{organizationName}}",
    "organizationUrl": "{{organizationUrl}}",
    "networkId": "{{networkId}}",
    "networkName": "{{networkName}}",
    "networkUrl": "{{networkUrl}}",
    "networkTags": {{ networkTags | jsonify }},
    "deviceSerial": "{{deviceSerial}}",
    "deviceMac": "{{deviceMac}}",
    "deviceName": "{{deviceName}}",
    "deviceUrl": "{{deviceUrl}}",
    "deviceTags": {{ deviceTags | jsonify }},
    "deviceModel": "{{deviceModel}}",
    "alertId": "{{alertId}}",
    "alertType": "{{alertType}}",
    "alertTypeId": "{{alertTypeId}}",
    "alertLevel": "{{alertLevel}}",
    "occurredAt": "{{occurredAt}}",
    "alertData": {{ alertData | jsonify }}
  }
}

sungod · ‎06-27-2023

Hi,

I don't have a test system either, am reliant on the customer checking things at their end, I'd used https://webhook.site/ as a test receiver to get things to point I was ready to test with the customer.

As well as the header I used, they asked for some specific elements in the body, I don't think these are mandatory, just reflect the way they've set up Splunk for the various things they use it for. My guess is Splunk is so configurable that the body will often need adapting.

{
"index":"an ID the customer wanted",
"source":"another ID the customer wanted",
"sourcetype":"here they wanted Cisco-Meraki",
"event":{
#in here I simply used the default Meraki template
}}

DexterLaBora · ‎06-27-2023

Okay, same here. Let us know how the testing goes. There were a lot of options, so I am curious what the end-to-end solution and experience looks like. Send a screenshot of the final message in Splunk if you can (hide any sensitive info obviously).

Thanks!

sungod · ‎06-27-2023

I had a screenshot from the testing, it's not very exciting, Splunk is showing all the fields ok, same as I saw them using the test receiver, though they are shown alphabetically sorted by Splunk.

Once we go live I think they may want to refine the body, but that's probably customer specific rather than to do with Splunk.