rumnredbull / ta-send_to_hec Goto Github PK
View Code? Open in Web Editor NEWThis project forked from georgestarcher/ta-send_to_hec
Splunk Modular Alert to send search results to a Splunk HTTP Event Collector
License: MIT License
ta-send_to_hec's Introduction
## Custom Alert Action Search Results to HTTP Event Collector Author: George Starcher (starcher) Email: [email protected] ## Overview This is a Splunk Modular Alert used to send the search results to Splunk HTTP Event Collector. It has been built using the Add-on Builder for Splunk to improve compatibility with things like Splunk Enterprise Security Adaptive Response. This is meant to send a modest number of events from one Splunk instance to another using HEC. Although the code is threaded it is not meant for high volume or real time sending of data. **All materials in this project are provided under the MIT software license. See license.txt for details.** ## Dependencies * Splunk 6.3+ * Supported on Windows, Linux, MacOS, Solaris, FreeBSD, HP-UX, AIX * A Splunk receiving instance with HTTP Event Collector configured. * The HTTP Event Collector token ## Setup * Install to your $SPLUNK_HOME/etc/apps directory * Restart Splunk ## Using Perform a search in Splunk and then navigate to : Save As -> Alert -> Trigger Actions -> Add Actions -> Send to HEC On this dialogue you can enter the Splunk server and HTTP Event Collector token. The fields _time, index, source, sourcetype and _raw are pulled from the search results and used in constructing the HEC payload. If you wish to override these fields for a different value at the destination you should set them in the alert gui settings. _time still comes from the event time. The alert defaults to taking the JSON of the search results to form the payload sent to HEC. All _ hidden fields are removed. If you want _raw then just eval it to another field like orig_raw. You now have the option to select RAW as the HEC methodwhen configuring the alert. This ignores all fields except _raw which it sends to the HEC receiver. With RAW the HEC receiver determines the parsing, and index time fields. Keep in mind that credentials stored in a Modular Alert are NOT encrypted. And users with permissions to the saved alert can view them. The Add-on builder obscures the stored API key but it is still unencrypted in the conf file. ## Logging Browse to : Settings -> Alert Actions -> Send to HEC -> View Log Events Or you can search directly in Splunk : index=_internal sourcetype=splunkd component=sendmodalert action="sendtohec"
ta-send_to_hec's People
Contributors
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.