Using "Webhook" Destination: Can we transform events to be used as HTTP requests?Background - we are trying to send alerts from the Cribl Internal (Logs) source. We use a pipeline to reduce these events down to only Cribl errors and any Cribl Internal Logs that we care about. However, we need a way to send this data in the correct format to something like Slack "Incoming Webhooks."2 Problems with Sending Events as HTTP Requests Using "Webhook" Destination:Slack has a specific format and keys for the JSON body data - https://api.slack.com/messaging/webhooks#advanced_message_formatting There are certain keys that may only appear in the JSON that Slack receives like "text".This is also problematic when we can't control if cribl_pipe is appended to the top-level fieldsThe JSON data must be individual events in JSON with "ContentType: application/json".This is problematic, it seems, because the events are batched using NDJSON, JSON array, or even with the custom option (image below) they are batched and you can only choose where to put the batched events.Alternatively...Maybe I'm going about this wrong, I have to make an external proxy instead to handle these requests, Cribl already has this functionality, or this is not the point of Cribl Internal logs and how to use them.(Below is image of General Setting for Webhook destination)

SetAdvanced Settings > Max events per requestto 1, so that each payload only contains a single eventSetFormattoCustom, setContent typetoapplication/json, and use aSource expressionlikeJSON.stringify(__httpOut)(or whatever field contains your pre-formatted object that Slack needsSending test events like this results in a receipt like this

Using "Webhook" Destination: Can we transform events to be used as HTTP requests?

Using "Webhook" Destination: Can we transform events to be used as HTTP requests?Background - we are trying to send alerts from the Cribl Internal (Logs) source. We use a pipeline to reduce these events down to only Cribl errors and any Cribl Internal Logs that we care about. However, we need a way to send this data in the correct format to something like Slack "Incoming Webhooks."2 Problems with Sending Events as HTTP Requests Using "Webhook" Destination:

Slack has a specific format and keys for the JSON body data - https://api.slack.com/messaging/webhooks#advanced_message_formatting
There are certain keys that may only appear in the JSON that Slack receives like "text".
This is also problematic when we can't control if cribl_pipe is appended to the top-level fields
The JSON data must be individual events in JSON with "ContentType: application/json".
This is problematic, it seems, because the events are batched using NDJSON, JSON array, or even with the custom option (image below) they are batched and you can only choose where to put the batched events.

Alternatively...
Maybe I'm going about this wrong, I have to make an external proxy instead to handle these requests, Cribl already has this functionality, or this is not the point of Cribl Internal logs and how to use them.(Below is image of General Setting for Webhook destination)

Page 1 / 1

Set Advanced Settings > Max events per request to 1, so that each payload only contains a single event
Set Format to Custom, set Content type to application/json, and use a Source expression like JSON.stringify(__httpOut) (or whatever field contains your pre-formatted object that Slack needs

Sending test events like this results in a receipt like this

I'll give that a go!

Wrote a Blog about sending notifications to Slack.Basically you just need the 'text' field. https://wreck-iot-ralph.blogspot.com/2023/09/cribl-send-slack-notifications.html

Reply

Sign up

Login to the community

Scanning file for viruses.

This file cannot be downloaded