You can use a webhook to automatically send Cmd alerts to Splunk HTTP Event Collectors (HECs). You can customize the webhook to select which CQL properties to send.

Prerequisite:

 

Splunk setup

Follow Splunk's guide to set up an HEC, and as you do:

 
Cmd setup

In the Cmd web app:

  1. Open the drop-down menu in the top-right.
  2. Select Project & app settings.
  3. On the left-hand menu, under 'Project settings', select Integrations preferences.
  4. Select Webhook.
  5. Click Add integration in the top-right corner.
  6. In the pop-up, name your integration (e.g., "Splunk 1").
  7. Under "Webhook URL", enter  https://jthaim7ka5.execute-api.us-west-2.amazonaws.com/api/forwarder  .
  8. Under "Custom JSON to send", enter the following:
{
  "splunk_endpoint_url": "[URL]"
  "splunk_http_key": "[KEY]"
}
  • Replace  [URL]   with the correct HEC URI for your Splunk implementation. Use the  /services/collector/raw  endpoint.
  • Replace  [KEY]   with your HEC's 'token value'.  

You can now test the integration by copying the curl command and executing it in your terminal. Once executed, you will receive an example alert in Splunk.

Now, you can add Splunk alerts to any of your triggers.

  

Related resources

Did this answer your question?