This Splunk Technical Add-on adds an Alert Action, which you can use to forward Splunk Alerts to a HTTP Event Collector (HEC).
The Setup of this TA is pretty simple. Here are the required steps:
Install the TA on your Splunk instance(s), which should forward Splunk Alerts
Restart Splunkd
Open the Alert Forwarder for Splunk App
Add a new HTTP Event Collector
Fill in the values of the destination HEC
Optionally, configure proxy and/or logging settings
Open the Splunk Alert you want to forward and add the Forward to Splunk HEC
Alert Action
Verify that the Splunk Alert has been forwarded successfully (after the next run)
The TA writes logs into _internal
. You can use the following search for troubleshooting:
index=_internal sourcetype="taalertforwarder:log"
Optionally, raise the Log Level on the App Configuration page.
This project uses Docker Compose to spin up a full development environment with two Splunk instances.
splunk.lic
splunkbase.credentials
in the root of this repository and add working Splunkbase credentials in it (hint: BugMeNot):SPLUNKBASE_USERNAME=<username>
SPLUNKBASE_PASSWORD=<password>
docker compose up [-d]
That's it. Splunk Alerts are automatically generated, you can begin development and don't have to bother with app setup and custom configurations!
This Splunk instance retrieves test alerts from splslave001
and stores them in a pre-configured index called alerts
.
The HTTP Event Collector (HEC) is automatically enabled by Splunk Ansible.
This Splunk instance generates test alerts and sends them to splmaster001
.
The app configuration and Saved Searches is already set, so you just have to spin up the instance via Docker Compose.
This project is actually hosted in GitLab and synced to Github, but you can still contribute to this project in Github of course!