I Automated Splunk Alerts With Tines In 1 & 5 Minutes – Here’s What Happened

  • Home
  • I Automated Splunk Alerts With Tines In 1 & 5 Minutes – Here’s What Happened

Table of Contents:

Overview:

This Tines project was sparked from a curiosity of what may be possible with the Tines automation platform… I gave myself one minute to automate a Splunk Linux server alert using Tines. Then added 4 minutes to that (to give a total of 5 minutes) to see if it was even possible to setup a relevant alert notification that fast. I don’t know about you, but 5 minutes is not a lot of time to automate a Splunk alert, let alone one minute, especially when you throw in having to specify a specific Splunk SPL query first, and then have to deal with formatting the Splunk data into a readable alert format. I’ve got no idea how much I’m going to get done in 1 minute, so let’s find out, shall we?

Some concepts you will need to be familiar with to follow along with this challenge project:

  • JSON formatting as well as interacting with JSON content
  • Splunk & Splunk SPL
  • Splunk Alert settings
  • Webhooks
    • Discord Webhook management
  • Minor string content formatting (optional for preference readability)

Guide / Transcript:

[Intro]

Welcome back to Tines with Tyler. Okay, so I decided to give myself one minute to see how much information I can get from Splunk into my Discord as an alert. Alright, let’s see in three, two, one.

 

[Main]

I decided to go with the sudo command. I thought it was going to be the easiest one, and I was pretty sure that one minute was not going to be enough time to do anything advanced.

Setting the alert, I need to get the webhook URL from Tines.

I drag the webhook on, copy the URL, paste the URL, and save.

Next, I need to set a throttle to send this to Discord. I bring in the HTTP action, copy the webhook URL, and since I’m short on time, I’ll use one I already have set up. I paste that in.

Now, I need to reset the payload to format it for Discord using the content field. Since I don’t have enough time, I’ll just set the value as the raw body.

Now, I’m logged into my Linux server and will run the ls command with the sudo modifier. This should trigger the sudo alert.

Okay, so I was actually able to get Splunk alerts into Discord within a minute, but the output isn’t very useful. Let’s see how much better I can format this in an additional four minutes, for a total of five minutes to get this alert into Discord.

I do want to point out that, in this next part, I severely dropped the ball, which is why I decided to speed up the clip by 4x. The reason I messed up is that I should have just used the event viewer in Tines and copied the path from the values I wanted. Since this next part only lasts about a minute, I won’t add any commentary—just sit back and enjoy. Let’s go in three, two, one.

(4x speed footage)

Okay, that seems to be about all I can do, so let’s see how much better that was.

 

[End]
It looks like I was able to get a lot more relevant information, but I also made some typos and couldn’t finish adding the timestamp that Splunk triggered the alert. Overall, I definitely think you can get an alert from Splunk into a Discord notification within five minutes, but it’s definitely not ideal… If you’re interested in creating more projects or wanting to learn how to automate more cool things in Tines, be sure to like, subscribe and check out other posts

Profile Image

About The Author

Tyler

Tyler is a professional Tines automation specialist with a knack for problem-solving and troubleshooting. He has leveraged the Tines platform in non-traditional ways to streamline workplace tasks and also create unique interactive tools.

Leave a Comment