This Splunk App will let you add an Alert action to send alerts to a Mattermost instance.
Based off this Slack Splunk custom alert action example and the documentation here.
- Splunk version 9.0 or greater
App installation requires admin privileges.
- Navigate to "Manage apps" and click "Install app from file"
- Upload the app bundle after creating it
Alternatively, copy the contents of this project to $SPLUNK_HOME/etc/apps/mattermost_alerts
.
Or, lazy mode, git clone https://github.com/leonjza/splunk-mattermost-alert.git
in $SPLUNK_HOME/etc/apps
.
In mattermost, create a new incoming webhook to be used with this app. Do that by:
- Browsing to the Integrations section from the top left of a logged in Mattermost Admin account.
- Incoming Webhooks -> Add Incoming Webhook
- Complete the fields and take not of the generated URL. This is the value you need to use for
webhook_url
.
In order to investigate problems with the Mattermost alert action, you can check the logs of the alert action.
- Navigate to "Settings" -> "Alert actions"
- Click on "View log events" for the Mattermost alert action
You can also increase the verbosity of logs generated by the alert action by adjusting the
- Navigate to "Settings" -> "Server settings" -> "Server logging"
- Search for the log channel "sendmodalert"
- Select logging level "DEBUG"
NOTE: This will increase cause detailed logs to be produced for all alert actions and might have an impact on system performance. It is not recommended to do this on a production system.
You can manually trigger the mattermost alert action if you want to verify the configuration and/or preview different parameter combinations.
For example:
index="_internal" | head 1 | sendalert mattermost param.webhook_url=https://<your webhook url> param.fields=index
Enter a similar SPL query into the search bar in the search interface of Splunk to manually send a message.