Mirror
/
zulip
mirror of https://github.com/zulip/zulip.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
zulip/zerver/webhooks/splunk/fixtures/long_search_name.json

47 lines
1.7 KiB
JSON
Raw Normal View History

Add a Splunk webhook integration. Add a webhook to create messages from Splunk search alerts. The search alert JSON includes the first search result and a link to view the full results. The following fields are used: * search_name - the name of the saved search * results_link - URL of the full search results * host - the host the search result came from * source - the source file on that host * _raw - the raw text of the logged event. The Zulip message contains: * search name * host * source * raw The destination stream and message topic are configurable: the default stream is "splunk" and the default topic "Splunk Alert". If the topic is not provided in the URL, the search name is used instead (truncated if too long. If a needed field is missing, a default value is used instead. Example: "Missing source" It is possible to configure a Splunk search to not include some values, so I've provided defaults rather than return an error for missing data. In practice, these fields are unlikely to be deliberately suppressed. Note: alerts are only available for Splunk servers using a valid trial, developer, or paid license. I've added tests for the normal case of one search result, the topic from the search name, and for a search missing one of the fields used. Tested using Splunk Enterprise 6.5.1. Fixes #3477
2017-01-26 00:37:23 +01:00
{
"results_link": "http://example.com:8000/app/search/search?q=%7Cloadjob%20rt_scheduler__admin__search__sudo_at_1483557185_2.2%20%7C%20head%201%20%7C%20tail%201&earliest=0&latest=now",
"app": "search",
"result": {
"timestartpos": "0",
"_serial": "2",
"splunk_server": "myserver",
"date_month": "january",
"USER": "",
"date_second": "32",
"source": "/var/log/auth.log",
"timeendpos": "15",
"_si": [
"myserver",
"main"
],
"punct": "___::_-_:_(:):_____",
"host": "myserver",
"TTY": "",
"_raw": "Jan 4 11:14:32 myserver sudo: pam_unix(sudo:session): session closed for user root",
"_sourcetype": "syslog",
"index": "main",
"date_minute": "14",
"date_year": "2017",
"_kv": "1",
"process": "sudo",
"PWD": "",
"pid": "",
"_time": "1483557272",
"uid": "",
"date_zone": "local",
"sourcetype": "syslog",
"_indextime": "1483557272",
"date_hour": "11",
"date_mday": "4",
"linecount": "",
"eventtype": "",
"COMMAND": "",
"_eventtype_color": "",
"date_wday": "wednesday",
"_confstr": "source::/var/log/auth.log|host::myserver|syslog"
},
"sid": "rt_scheduler__admin__search__sudo_at_1483557185_2.2",
"search_name": "this-search's-got-47-words-37-sentences-58-words-we-wanna-know-details-of-the-search-time-of-the-search-and-any-other-kind-of-thing-you-gotta-say-pertaining-to-and-about-the-search-I-want-to-know-authenticated-user's-name-and-any-other-kind-of-thing-you-gotta-say",
"owner": "admin"
}