Splunk

How to send a Splunk alert to create an issue in Jira



  1. Create a new Alert in Splunk, choose trigger Webhook
    https://docs.splunk.com/Documentation/Splunk/8.2.0/Alert/Webhooks

  2. In the web hook add https://<<jira_username>>:base64encoded_password@<<jira_base_url>>/rest/restfulintegrator/1.0/incoming/splunk


  3. Note you can use the Base64 Encoder shipped with iHub to encode the password. This is due to that Jira requires a login to send data to the iHub incoming service.

  4. Splunk will fire off a payload like this:

    { "result": { "sourcetype" : "mongod", "count" : "8" }, "sid" : "scheduler_admin_search_W2_at_14232356_132", "results_link" : "http://web.example.local:8000/app/search/@go?sid=scheduler_admin_search_W2_at_14232356_132", "search_name" : null, "owner" : "admin", "app" : "search" }



  5. Go to iHub Integrations

  6. Click Create 

  7. Enter name Splunk: Create Issue

  8. Select Jira Core as template category

  9. Select Create Issue as a template

  10. Click Create

  11. On the Configure page select a basic auth which is the user that will create the ticket in Jira. See Credentials for more info

  12. Modify the body to match your configuration of Jira. Map the alert data as you want it to appear on the ticket.



  13. { "fields": { "project": { "key": "ABC" }, "summary": "Splunk Alert: {{sid}}", "issuetype": { "name": "Task" },
 "description":"Splunk alert sid {{sid}} with {{owner}} has triggered an alert!", "reporter": { "name": "kg" }, "labels": [ "splunk" ], "customfield_10201":"{{results_link}}" } }

     

Receiving Splunk alert

  1. Click Save

  2. Goto Incoming Webhooks and Click New Rule

  3. Enter a name, like Splunk Alert

  4. Click Add Condition

  5. Select URL condition

  6. Operand should be ~ (a tilde, means wildcard)

  7. In the Compare with enter splunk and  press Add,

  8. This will make iHub filter incoming calls to this rule if it has splunk in its url like the one we crafted in the beginning: https://<<jira_username>>:base64encoded_password@<<jira_base_url>>/rest/restfulintegrator/1.0/incoming/splunk

  9. Select the Splunk: Create Issue action that we created above

  10. Hit the Save button



Now you can test the whole flow by triggering an alert or sending in a request using postman or other testing tools.