Splunk Alerts

The built-in Splunk Alerts trigger initiates a flow when it receives a signal from Splunk, either from the xMatters Actionable Alerts app or from a generic Splunk webhook.

After you add the trigger to a flow canvas, copy the trigger URL then head over to Splunk and configure the xMatters Actionable Alerts app or a generic webhook to use the URL.

To use the xMatters Actionable Alerts app, you need to have it installed in your Splunk instance — you can find our instructions here.

Add the Splunk Alerts trigger to the canvas

  1. Go to the Triggers panel in the palette, expand the App Triggers section and drag the trigger onto the canvas.
  2. Double-click the trigger (or click the pencil icon).
  3. Set the authenticating user, and then copy the URL — you'll use this to set up the app or webhook in Splunk. Alternatively, you can create an integration user to use as the authenticating user.

    The Settings tab of the Splunk Alerts step. The Initiation section on the right contains the configuration URL.

  4. Click the Flood Control tab to edit the trigger's default flood control settings. For more information about these settings, see Trigger Flood Control.
  5. Click Done.
  6. On the flow canvas, connect the steps you want to run when xMatters receives a request to that URL.

You're now ready to configure Splunk to target the trigger.

Configure Splunk to send requests to the trigger URL

To have Splunk send alerts to the flow trigger, you need to either configure the xMatters Actionable Alerts app to use the trigger URL or enter the trigger URL when you create generic Splunk webhooks.

Should I use the app or a generic webhook?

That depends on what your workflow is and what's most important to you.

The app lets you select the priority and pre-define recipients for each alert action you configure to use the app. However, the app only supports one URL, so any Splunk alerts that use the app would point the same trigger.

You can have as many generic webhooks as you want point to multiple triggers. However, you wouldn't be able to set the priority on the Splunk side. But you could add a switch or custom step to your flow canvas before any Create Event step that looks at an output of the trigger and sets the priority or recipients based on that (for example, a switch step looks at the Result Host output and triggers different Create Event steps with different recipients based on the value).