allma
allma
splunk_logo

How to integrate Splunk (Cloud/Enterprise) with Slack

How to integrate Splunk (Cloud/Enterprise) with Slack

A step-by-step guide to setting up Splunk alerts in your Slack workspace

Splunk provides a number of ways to disseminate alerts about performance, security, and even usability issues in applications based on specific patterns and conditions. In this tutorial, we’ll learn how to integrate Splunk with Slack to get notified quickly when those rare but consequential events occur.

What you’ll need

  • Access to a Slack workspace where you can add apps
  • Admin level access to a Splunk instance running in the cloud or locally

Installing a new Slack App

The first step in setting up this integration is to create a new Slack app. As complicated as this might sound, it’s actually as simple as clicking a few buttons and links.

  • Visit api.slack.com/apps and sign in if you’re not signed in already.

  • Select From scratch from the modal that appears.

  • Give the app a name and choose the Slack workspace you want to link the app with. To keep things simple, we recommend calling it Splunk.

  • On the next page, under the Add features and functionality section, click on the Incoming Webhook tile.

  • On the Incoming Webhook page, turn on the Activate incoming webhook toggle.

  • A new section will appear. Click Add New Webhook to Workspace towards the bottom of the section.

  • You’ll be asked to give your new app access to your workspace. Click Allow.

  • Copy the newly generated webhook URL and paste it somewhere. We’ll use it in a later step.

With these steps, you’ve exposed an API endpoint to the outside world which can be used by applications (like Splunk) to send messages to your Slack workspace.

Install the Slack Notifications Alert Integration

  • Go to https://splunkbase.splunk.com/ and login if you’re not already logged in.

  • Search for “Slack Notification Alert” in the search bar at the top and click the first result.

  • On the next page, click the Download button. Accept the license agreement on the prompt that appears. This will download an archive we’ll use to install the integration.

  • Open the web interface of your Splunk Cloud/Enterprise instance. If you’re running a local instance, that’ll work too.

  • Click the gear icon on the sidebar menu.

  • On the Apps settings page that opens, click the Install app from file at the top left.

  • Choose the archive file you downloaded earlier and click Upload. This will install the integration to your Splunk instance. Click the Set up now button.

  • On the Setup page, add the Slack webhook URL you copied earlier and click Save.

  • To put this integration to work, let’s add an alert to our Splunk instance. We’ll link this alert to our Slack workspace so that we’re notified in Slack when it is triggered. If you have data already loaded in Splunk, you can create an alert based on your own data. This tutorial will create an alert based on log data from a sample file you can download here.

  • To create an alert, go to the homepage of your Splunk web interface and click Search and Reporting on the sidebar menu.

  • Search for a log pattern you want to base this alert on. In the image below, we search for the phrase “failed password for invalid user”.

Add an Alert to Your Splunk Instance

To put this integration to work, let’s add an alert to our Splunk instance. We’ll link this alert to our Slack workspace so that we’re notified in Slack when it is triggered. If you have data already loaded in Splunk, you can create an alert based on your own data. This tutorial will create an alert based on log data from a sample file you can download here.

  • To create an alert, go to the homepage of your Splunk web interface and click Search and Reporting on the sidebar menu.

  • Search for a log pattern you want to base this alert on. In the image below, we search for the phrase “failed password for invalid user”.

  • At the top-left of the search page, click Save As, and select Alert from the menu.

  • This will open a settings modal for the alert where you can give the alert a title and specify the conditions that’ll trigger the alert. The following image shows our values for the alert. These values mean that when a log containing the text pattern “failed password for invalid user” is sampled more than three times in two minutes, Splunk should trigger the alert.

  • Click the Add Actions button at the bottom of the form and select Slack.

  • A few new form fields will appear where you can customize the Slack message and channel that receives the message. Add your message and channel and click Save.

That’s it. You’ve now set up a Splunk alert. Based on our example, if the application connected to our Splunk instance receives more than three failed login requests, we should receive a message in Slack notifying us of the incident.

Get started for free

Say hello to your new sidekick