Splunk Detector Alerts
The built-in Splunk Detector Alerts trigger initiates a flow when it receives a signal from a Splunk Infrastructure Monitoring (formerly SignalFx) detector.
- Go to the Triggers tab in the palette, expand the App Triggers section, and drag the trigger onto the canvas.
- Double-click the trigger (or click the pencil icon).
- Set the authenticating user, and then copy the URL — you'll use this to set up the webhook in Splunk. Alternatively, you can create an integration user to use as the authenticating user.
- Click the Flood Control tab to edit the trigger's default flood control settings. For more information about these settings, see Trigger Flood Control.
- Click Done.
- On the flow canvas, connect the steps you want to run when xMatters receives a request to that URL.
You're now ready to configure Splunk to target the trigger.
Configure Splunk to send requests to the trigger URL
To have Splunk send alerts to the flow trigger, you need to configure a webhook and set it to use the trigger URL. You can either set up a new detector and alert rule using the Splunk Infrastructure Monitoring documentation, or modify one of your existing alert rules.
To modify an existing alert rule:
- In the Splunk Observability platform and select Alerts from the left-hand menu.
- Click the Detectors tab and select the detector you want to use to notify xMatters.
- Select an alert rule and click it's name or Edit to add xMatters as a recipient.
- In the Alert recipients section, click Add Recipient and select Webhook.
- Click Custom.
- In the URL field, paste the trigger URL you copied from the Splunk Detector Alerts trigger on the Flow Designer canvas.
- Add the target names of any recipients you want xMatters to notify when the alert fires to the end of the URL.
- For URL authentication, use an ampersand to attach recipients. For example, if you want to notify Emma Pearson and the on-call members in the group responsible for the Antares service, you'd add &recipients=epearson,antares to the URL.
- You must URL-encode any special characters or spaces in the target names.
- Click Update.
- In the Alert recipients section, click Done.
- To save your changes, click Update Alert Rule.
You're ready to use the webhook to trigger automated flows, including steps such as sending alerts and initiating incidents, though we always recommend testing before putting things into use.
The trigger has the following outputs you can use as inputs to steps further along the flow.
|Recipients||List of targeted recipients. Recipients are set by adding a recipients query parameter to the trigger URL when you configure the webhook in Splunk.|
|Signal Mode||Determines the flow path to follow, based on the value of the Status parameter.|
|Signal ID||Key or identifier used to terminate or correlate events/signals.|
|Condition Name||Name of the condition that triggered the alert.|
|Description||Description of the condition provided by the Splunk Detector alert.|
|Detector||Name of the Splunk Detector.|
|Detector URL||Direct link to the embedded Splunk Detector.|
|Incident ID||Unique ID of the incident in Splunk.|
|Message Body||Message content containing condition name, threshold and timestamp.|
|Rule||Name of the rule in Splunk.|
|Runbook URL||Link to more information on how to process the notification from Splunk.|
|Severity||Severity of the alert.|
|Status||Status of the alert.|
|Timestamp||Timestamp of when the trigger fired.|
|Tip||Suggested first course of action upon receipt of the notification, as specified by Splunk.|
|Raw Request||JSON representation of the request that can be parsed separately to get additional context on outputs.|