Using "Webhook" Destination: Can we transform events to be used as HTTP requests?

benjamin.rader

Using "Webhook" Destination: Can we transform events to be used as HTTP requests?Background - we are trying to send alerts from the Cribl Internal (Logs) source.  We use a pipeline to reduce these events down to only Cribl errors and any Cribl Internal Logs that we care about.  However, we need a way to send this data in the correct format to something like  Slack "Incoming Webhooks."2 Problems with Sending Events as HTTP Requests Using "Webhook" Destination:

1. Slack has a specific format and keys for the JSON body data -  https://api.slack.com/messaging/webhooks#advanced_message_formatting
2. There are certain keys that may only appear in the JSON that Slack receives like "text".
3. This is also problematic when we can't control if cribl_pipe is appended to the top-level fields
4. The JSON data must be individual events in JSON with "ContentType: application/json".
5. This is problematic, it seems, because the events are batched using NDJSON, JSON array, or even with the custom option (image below) they are batched and you can only choose where to put the batched events.

Alternatively...
Maybe I'm going about this wrong, I have to make an external proxy instead to handle these requests, Cribl already has this functionality, or this is not the point of Cribl Internal logs and how to use them.(Below is image of General Setting for Webhook destination)

Anson VanDoren

1. Set Advanced Settings > Max events per request to 1, so that each payload only contains a single event
2. Set Format to Custom, set Content type to application/json, and use a Source expression like JSON.stringify(__httpOut) (or whatever field contains your pre-formatted object that Slack needs

Sending test events like this results in a receipt like this

Anson VanDoren

1. Set Advanced Settings > Max events per request to 1, so that each payload only contains a single event
2. Set Format to Custom, set Content type to application/json, and use a Source expression like JSON.stringify(__httpOut) (or whatever field contains your pre-formatted object that Slack needs

Sending test events like this results in a receipt like this

benjamin.rader

I'll give that a go!

just

Wrote a Blog about sending notifications to Slack.Basically you just need the 'text' field. https://wreck-iot-ralph.blogspot.com/2023/09/cribl-send-slack-notifications.html