====== Receiving Alerts in Splunk ====== {{::1.png?400 |}} 1. First of all, remember the hostname of your Splunk Cloud instance - it will be needed later when configuring Kaduu to send alerts to Splunk. The hostname will be different from the one you see on the screenshot! 2. Go to "Settings" -> "Data Inputs" ---- {{::2.png?400 |}} 3. Add a new HTTP Event Collector by clicking the "Add New" link ---- {{::3.png?400 |}} 4. Put any name for that collector and hit "Next" ---- {{::4.png?400 |}} 5. Set "Source Type" as "Automatic" 6. Select any index as default - all Kaduu events will be stored there 7. Hit "Review" ---- {{::5.png?400 |}} 8. Check all settings are valid on the Review page and hit next. Splunk will say that "Token has been created successfully" and show you a token, that you should copy and save it somewhere - it will be used later when configuring everything from Kaduu ---- {{::spl-7.png?400 |}} 9. Go to "Settings" -> "Source types" ---- {{::spl-8.png?400 |}} 10. Click "New Source Type" green button on the right ---- {{::spl-9.png?400 |}} 11. Name the source as “Kaduu”, make sure “Destination app” has “Search & Reporting”, in “Indexed extractions” choose “json”, then click “Advanced” tab ---- {{::spl-10.png?400 |}} 12. On the Advanced tab you have to add 4 new entries (click “New setting” link below the list each time): * ''BREAK_ONLY_BEFORE'', value: ''(\{|\[\s+{)'' * ''LINE_BREAKER'', value: ''(\{|\[\s+{)'' * ''MUST_BREAK_AFTER'', value: ''(\}|\}\s+\])'' * ''TIME_PREFIX'', value: ''\"createdAt\":\"'' ---- {{::spl-11.png?400 |}} 13. Then go to main menu, to "Settings" -> "Data inputs" -> "HTTP Event Collector" (we created it before) -> "Edit". You will see this form. Choose “Set Source Type” to “Entered sourcetype”, and “Source type” field - enter “Kaduu” in the dropdown. Others fields should be the same, hit "Save". ---- {{::spl-12.png?400 |}} 14. Configure your Kaduu account to send alerts over HTTP 15. Enter webhook URL in this form: [[https://.splunkcloud.com:8088/services/collector/raw?token=|https://.splunkcloud.com:8088/services/collector/raw?token=]], where is the hostname of your Splunk instance and is the token you copied on the previous step ---- {{::spl-13.png?400 |}} 16. Hit "Save" and wait for new alert events to arrive to your Splunk instance 17. Warning! If you are not using the Cloud edition of Splunk (that is, it doesn't have splunkcloud.com in URL), please make sure you enable the Query String authentication in your Splunk settings.