You can configure Splunk to send alert notification to a Slack channel or through and email.

Slack

Prerequisites:
  • The Slack app should already be installed in your Splunk setup.
  • Connect Slack and Splunk using webhooks. For more information on Slack webhooks, see Incoming Webhooks
Complete the following steps to create an alert for Slack:
  1. Navigate to Settings ̶> Searches, reports and alerts
    Note: Alert should be created for App: Search & Reporting(search)
  2. Create new alerts
    Enter the values as described in the table below:
    Value Description
    Description PingIntelligence for APIs Alert
    Search

    Search: index="pi_events"

    sourcetype="pi_events_source_type"

    access_type="attack"

    Alert Type Scheduled -> Run on Cron Schedule
    Cron Expression */10 * * * *
    Time Range 600
    Expires 24-hours
    Trigger alert when The alert should be triggered for results when greater than 0
    Trigger For each result. This would trigger a new alert for each event.
    Throttle Do not throttle the events
  3. Configure alert action
    Value Description
    Add Actions Choose the slack app to add actions
    Channel

    Use the channel which has been configured with webhook URL which starts with either # or @

    In this example, we are using channel name as:

    # PingIntelligence_alerts

    Message
    This is the message which will be posted along with the alert in slack, We recommend using the below message:
    -------------------------------------------------------
    $result.attack_type$ has been detected on API: $result.api_name$ 
    -----------------------------------------------------------------
    More details : 
    `$result._raw$`
    
    Attachments NA
    Fields NA
    Webhook URL NA
  4. Post a message in Splunk to verify that it is notified in Slack