We have updated our Terms of Service, Code of Conduct, and Addendum.

Using "Webhook" Destination: Can we transform events to be used as HTTP requests?

benjamin.rader Posts: 5
edited October 2023 in General Discussions

Using "Webhook" Destination: Can we transform events to be used as HTTP requests?Background - we are trying to send alerts from the Cribl Internal (Logs) source.  We use a pipeline to reduce these events down to only Cribl errors and any Cribl Internal Logs that we care about.  However, we need a way to send this data in the correct format to something like  Slack "Incoming Webhooks."2 Problems with Sending Events as HTTP Requests Using "Webhook" Destination:

  1. Slack has a specific format and keys for the JSON body data -  https://api.slack.com/messaging/webhooks#advanced_message_formatting
  2. There are certain keys that may only appear in the JSON that Slack receives like "text".
  3. This is also problematic when we can't control if cribl_pipe is appended to the top-level fields
  4. The JSON data must be individual events in JSON with "ContentType: application/json".
  5. This is problematic, it seems, because the events are batched using NDJSON, JSON array, or even with the custom option (image below) they are batched and you can only choose where to put the batched events.

Maybe I'm going about this wrong, I have to make an external proxy instead to handle these requests, Cribl already has this functionality, or this is not the point of Cribl Internal logs and how to use them.(Below is image of General Setting for Webhook destination)


Best Answer

  • Anson VanDoren
    Anson VanDoren Posts: 16 mod
    Answer ✓
    1. Set Advanced Settings > Max events per request to 1, so that each payload only contains a single event
    2. Set Format to Custom, set Content type to application/json, and use a Source expression like JSON.stringify(__httpOut) (or whatever field contains your pre-formatted object that Slack needs

    Sending test events like this results in a receipt like this