Dashboard Webhooks to Splunk

Head in the Cloud
Head in the Cloud

Dashboard Webhooks to Splunk

I had a customer request to send alert webhooks into Splunk.


Couldn't find it documented, nor on this forum or Splunk's site, and searching only turned up a few people asking how to do it, I gave up and figured it out.


To save time if you ever need to do it...


Make sure Early API Access is enabled on the organization, this activates the "Add or edit webhook templates" feature on the Network-wide->Alerts page.


To start with, create a new template (I suggest start by copying the Meraki one), then edit it to add a Liquid header with this key...




...and value...


Splunk {{ sharedSecret }}


...note that there's a space after Splunk.


Click 'generate preview' and you'll see...



  "Authorization": "Splunk "


Back to the Alerts page, add your receiver's Name, URL, Shared secret, and choose the payload template you just created.
Save and test.
Meraki Employee
Meraki Employee

Thanks @sungod for posting your solution. I'm glad you found the webhook templates, because this is exactly what they were made for. 

I started writing a template for Splunk, but did not have a test environment to verify. Here is what I have created so far, but I would love some validation. This can then be shared on our github repo containing all of our open source webhook templates.

sharedSecret set to your Splunk Token (i.e. `12345678-1234-1234-1234-1234567890AB`)


Headers template

  "Authorization": "Splunk {{sharedSecret}}",
  "X-Splunk-Request-Channel":	"XXXXXX"


Body template

  "time":{{sentAt | date:"%s"}},
  "host": "api.meraki.com",
  "source": "{{networkName}}",
  "event" : {
    "sentAt": "{{sentAt}}",
    "organizationId": "{{organizationId}}",
    "organizationName": "{{organizationName}}",
    "organizationUrl": "{{organizationUrl}}",
    "networkId": "{{networkId}}",
    "networkName": "{{networkName}}",
    "networkUrl": "{{networkUrl}}",
    "networkTags": {{ networkTags | jsonify }},
    "deviceSerial": "{{deviceSerial}}",
    "deviceMac": "{{deviceMac}}",
    "deviceName": "{{deviceName}}",
    "deviceUrl": "{{deviceUrl}}",
    "deviceTags": {{ deviceTags | jsonify }},
    "deviceModel": "{{deviceModel}}",
    "alertId": "{{alertId}}",
    "alertType": "{{alertType}}",
    "alertTypeId": "{{alertTypeId}}",
    "alertLevel": "{{alertLevel}}",
    "occurredAt": "{{occurredAt}}",
    "alertData": {{ alertData | jsonify }}



I don't have a test system either, am reliant on the customer checking things at their end, I'd used https://webhook.site/ as a test receiver to get things to point I was ready to test with the customer.


As well as the header I used, they asked for some specific elements in the body, I don't think these are mandatory, just reflect the way they've set up Splunk for the various things they use it for. My guess is Splunk is so configurable that the body will often need adapting.


"index":"an ID the customer wanted",
"source":"another ID the customer wanted",
"sourcetype":"here they wanted Cisco-Meraki",
#in here I simply used the default Meraki template


Okay, same here. Let us know how the testing goes. There were a lot of options, so I am curious what the end-to-end solution and experience looks like. Send a screenshot of the final message in Splunk if you can (hide any sensitive info obviously).




I had a screenshot from the testing, it's not very exciting, Splunk is showing all the fields ok, same as I saw them using the test receiver, though they are shown alphabetically sorted by Splunk.


Once we go live I think they may want to refine the body, but that's probably customer specific rather than to do with Splunk.



Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.