You can configure Splunk to send alert notification to a Slack channel or through and email.
Slack
Prerequisites:
- The Slack app should already be installed in your Splunk setup.
- Connect Slack and Splunk using webhooks. For more information on Slack webhooks, see Incoming Webhooks
Complete the following steps to create an alert for Slack:
- Navigate to Settings ̶> Searches, reports and
alerts
Note: Alert should be created for App: Search & Reporting(search)
- Create new alerts
Enter the values as described in the table below:
Value Description Description PingIntelligence for APIs Alert Search Search: index="pi_events"
sourcetype="pi_events_source_type"
access_type="attack"
Alert Type Scheduled -> Run on Cron Schedule Cron Expression */10 * * * * Time Range 600 Expires 24-hours Trigger alert when The alert should be triggered for results when greater than 0 Trigger For each result. This would trigger a new alert for each event. Throttle Do not throttle the events - Configure alert action
Value Description Add Actions Choose the slack app to add actions Channel Use the channel which has been configured with webhook URL which starts with either # or @
In this example, we are using channel name as:
# PingIntelligence_alerts
Message This is the message which will be posted along with the alert in slack, We recommend using the below message:------------------------------------------------------- $result.attack_type$ has been detected on API: $result.api_name$ ----------------------------------------------------------------- More details : `$result._raw$`
Attachments NA Fields NA Webhook URL NA - Post a message in Splunk to verify that it is notified in Slack