Splunk REST API - 如何添加 webhook 操作?
Splunk REST API - How to add a webhook action?
我想创建一个警报,并向其添加一个 webhook 操作。不过看了Splunk documentation,好像没说怎么做
这是我当前的请求:
curl -s -k -u admin:password https://splunk.rf:8089/servicesNS/admin/search/saved/searches > /dev/null \
-d name=bruteforcetest \
--data-urlencode output_mode='json' \
--data-urlencode alert.digest_mode='0' \
--data-urlencode alert.expires='24h' \
--data-urlencode alert.managedBy='' \
--data-urlencode alert.severity='3' \
--data-urlencode alert.suppress='1' \
--data-urlencode alert.suppress.fields='source_ip' \
--data-urlencode alert.suppress.period='2m' \
--data-urlencode alert_comparator='greater than' \
--data-urlencode alert_condition='' \
--data-urlencode alert_threshold='20' \
--data-urlencode alert_type='number of events' \
--data-urlencode alert.track='1' \
--data-urlencode cron_schedule='* * * * *' \
--data-urlencode description='' \
--data-urlencode disabled='0' \
--data-urlencode displayview='' \
--data-urlencode is_scheduled='1' \
--data-urlencode is_visible='1' \
--data-urlencode max_concurrent='1' \
--data-urlencode realtime_schedule='1' \
--data-urlencode restart_on_searchpeer_add='1' \
--data-urlencode run_n_times='0' \
--data-urlencode run_on_startup='0' \
--data-urlencode schedule_priority='default' \
--data-urlencode schedule_window='0' \
--data-urlencode dispatch.earliest_time='rt-2m' \
--data-urlencode dispatch.latest_time='rt-0m' \
--data-urlencode display.events.fields='["host","source","sourcetype", "source_ip"]' \
--data-urlencode search='"error: invalid login credentials for user"'
如何修改此请求以添加 webhook 操作? Webhook 查询应该是 http://firewall.mycompany/ban.
创建 webhook 操作需要指定两个参数:
actions='webhook'
action.webhook.param.url='http://firewall.mycompany/ban'
这是您的请求,已修改为包含网络钩子操作:
curl -s -k -u admin:password https://splunk.rf:8089/servicesNS/admin/search/saved/searches > /dev/null \
-d name=bruteforcetest \
--data-urlencode actions='webhook' \
--data-urlencode action.webhook.param.url='http://firewall.mycompany/ban' \
--data-urlencode output_mode='json' \
--data-urlencode alert.digest_mode='0' \
--data-urlencode alert.expires='24h' \
--data-urlencode alert.managedBy='' \
--data-urlencode alert.severity='3' \
--data-urlencode alert.suppress='1' \
--data-urlencode alert.suppress.fields='source_ip' \
--data-urlencode alert.suppress.period='2m' \
--data-urlencode alert_comparator='greater than' \
--data-urlencode alert_condition='' \
--data-urlencode alert_threshold='20' \
--data-urlencode alert_type='number of events' \
--data-urlencode alert.track='1' \
--data-urlencode cron_schedule='* * * * *' \
--data-urlencode description='' \
--data-urlencode disabled='0' \
--data-urlencode displayview='' \
--data-urlencode is_scheduled='1' \
--data-urlencode is_visible='1' \
--data-urlencode max_concurrent='1' \
--data-urlencode realtime_schedule='1' \
--data-urlencode restart_on_searchpeer_add='1' \
--data-urlencode run_n_times='0' \
--data-urlencode run_on_startup='0' \
--data-urlencode schedule_priority='default' \
--data-urlencode schedule_window='0' \
--data-urlencode dispatch.earliest_time='rt-2m' \
--data-urlencode dispatch.latest_time='rt-0m' \
--data-urlencode display.events.fields='["host","source","sourcetype", "source_ip"]' \
--data-urlencode search='"error: invalid login credentials for user"'
我想创建一个警报,并向其添加一个 webhook 操作。不过看了Splunk documentation,好像没说怎么做
这是我当前的请求:
curl -s -k -u admin:password https://splunk.rf:8089/servicesNS/admin/search/saved/searches > /dev/null \
-d name=bruteforcetest \
--data-urlencode output_mode='json' \
--data-urlencode alert.digest_mode='0' \
--data-urlencode alert.expires='24h' \
--data-urlencode alert.managedBy='' \
--data-urlencode alert.severity='3' \
--data-urlencode alert.suppress='1' \
--data-urlencode alert.suppress.fields='source_ip' \
--data-urlencode alert.suppress.period='2m' \
--data-urlencode alert_comparator='greater than' \
--data-urlencode alert_condition='' \
--data-urlencode alert_threshold='20' \
--data-urlencode alert_type='number of events' \
--data-urlencode alert.track='1' \
--data-urlencode cron_schedule='* * * * *' \
--data-urlencode description='' \
--data-urlencode disabled='0' \
--data-urlencode displayview='' \
--data-urlencode is_scheduled='1' \
--data-urlencode is_visible='1' \
--data-urlencode max_concurrent='1' \
--data-urlencode realtime_schedule='1' \
--data-urlencode restart_on_searchpeer_add='1' \
--data-urlencode run_n_times='0' \
--data-urlencode run_on_startup='0' \
--data-urlencode schedule_priority='default' \
--data-urlencode schedule_window='0' \
--data-urlencode dispatch.earliest_time='rt-2m' \
--data-urlencode dispatch.latest_time='rt-0m' \
--data-urlencode display.events.fields='["host","source","sourcetype", "source_ip"]' \
--data-urlencode search='"error: invalid login credentials for user"'
如何修改此请求以添加 webhook 操作? Webhook 查询应该是 http://firewall.mycompany/ban.
创建 webhook 操作需要指定两个参数:
actions='webhook'
action.webhook.param.url='http://firewall.mycompany/ban'
这是您的请求,已修改为包含网络钩子操作:
curl -s -k -u admin:password https://splunk.rf:8089/servicesNS/admin/search/saved/searches > /dev/null \
-d name=bruteforcetest \
--data-urlencode actions='webhook' \
--data-urlencode action.webhook.param.url='http://firewall.mycompany/ban' \
--data-urlencode output_mode='json' \
--data-urlencode alert.digest_mode='0' \
--data-urlencode alert.expires='24h' \
--data-urlencode alert.managedBy='' \
--data-urlencode alert.severity='3' \
--data-urlencode alert.suppress='1' \
--data-urlencode alert.suppress.fields='source_ip' \
--data-urlencode alert.suppress.period='2m' \
--data-urlencode alert_comparator='greater than' \
--data-urlencode alert_condition='' \
--data-urlencode alert_threshold='20' \
--data-urlencode alert_type='number of events' \
--data-urlencode alert.track='1' \
--data-urlencode cron_schedule='* * * * *' \
--data-urlencode description='' \
--data-urlencode disabled='0' \
--data-urlencode displayview='' \
--data-urlencode is_scheduled='1' \
--data-urlencode is_visible='1' \
--data-urlencode max_concurrent='1' \
--data-urlencode realtime_schedule='1' \
--data-urlencode restart_on_searchpeer_add='1' \
--data-urlencode run_n_times='0' \
--data-urlencode run_on_startup='0' \
--data-urlencode schedule_priority='default' \
--data-urlencode schedule_window='0' \
--data-urlencode dispatch.earliest_time='rt-2m' \
--data-urlencode dispatch.latest_time='rt-0m' \
--data-urlencode display.events.fields='["host","source","sourcetype", "source_ip"]' \
--data-urlencode search='"error: invalid login credentials for user"'