Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Transform a Splunk webhook and send to Slack
var util = require("util");
var https = require("https");
var title_template = "Alert - <%s|%s>";
var body_template = "\`\`\`%s\`\`\`";
var request_options = {
hostname: 'hooks.slack.com',
path: '<slack_url>',
method: 'POST',
headers: {
'Content-Type': 'application/json',
}
};
exports.handler = (event, context, callback) => {
console.log('Received event:', JSON.stringify(event, null, 2));
var req = https.request(request_options, function(result) {
callback(null, 'Success');
});
req.on('error', function(err) {
console.log('Error, with: ' + err.message);
callback('Error, with: ' + err.message);
});
var splunk_fields = event.result;
var search_title = util.format(title_template, event.results_link, event.search_name);
var raw = splunk_fields._raw;
if (raw.length > 7000) {
// Slack attachment text only supports up to 8000 bytes,
// way undershooting that just in case
raw = util.format("%s...", raw.substr(0, 7600));
}
var body = util.format(body_template, raw);
req.write(JSON.stringify({
"channel": "#splunk",
"username": "Splunk",
"icon_emoji": ":splunk:",
"attachments":[
{
"title": search_title,
"text": body,
"color": "danger",
"mrkdwn_in": ["text"],
"fields":[
{
"title": splunk_fields.job ? "job" : "app",
"value": splunk_fields.job ? splunk_fields.job : splunk_fields.app,
"short": true
},
{
"title": "host",
"value": splunk_fields.host,
"short": true
}
]
}
]
}));
req.end();
};
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.