This Splunk Technical Add-on adds an Alert Action, which you can use to forward Splunk Alerts to a HTTP Event Collector (HEC).
The Setup of this TA is pretty simple. Here are the required steps:
-
Install the TA on your Splunk instance(s), which should forward Splunk Alerts
-
Restart Splunkd
-
Open the Alert Forwarder for Splunk App
-
Add a new HTTP Event Collector
-
Fill in the values of the destination HEC
-
Optionally, configure proxy and/or logging settings
-
Open the Splunk Alert you want to forward and add the
Forward to Splunk HEC
Alert Action -
Verify that the Splunk Alert has been forwarded successfully (after the next run)
The TA writes logs into _internal
. You can use the following search for troubleshooting:
index=_internal sourcetype="taalertforwarder:log"
Optionally, raise the Log Level on the App Configuration page.
This project uses Docker Compose to spin up a full development environment with two Splunk instances.
- Put your Splunk developer license in the root of this repository in a file called
splunk.lic
- Create a file with the name
splunkbase.credentials
in the root of this repository and add working Splunkbase credentials in it (hint: BugMeNot):
SPLUNKBASE_USERNAME=<username>
SPLUNKBASE_PASSWORD=<password>
- Start the Docker instances:
docker compose up [-d]
That's it. Splunk Alerts are automatically generated, you can begin development and don't have to bother with app setup and custom configurations!
This Splunk instance retrieves test alerts from splslave001
and stores them in a pre-configured index called alerts
.
The HTTP Event Collector (HEC) is automatically enabled by Splunk Ansible.
This Splunk instance generates test alerts and sends them to splmaster001
.
The app configuration and Saved Searches is already set, so you just have to spin up the instance via Docker Compose.
This project is actually hosted in GitLab and synced to Github, but you can still contribute to this project in Github of course!