Splunk Alert Notification
This section explains how to receive ThousandEyes alert notifications in Splunk using custom webhooks.
Set Up Splunk
Log in to Splunk.
Create an HTTP Event Collector (HEC) token in your Splunk instance:
Identify the target endpoint based on your Splunk deployment:
Splunk Cloud Platform:
https://http-inputs-<host>.splunkcloud.com:443/services/collector/event
Splunk Enterprise:
https://<host>:8088/services/collector/event
Set Up ThousandEyes
In the ThousandEyes platform, go to Manage > Integrations and click + New Integration in the top right.
New Integration button on Integrations screen In the Add New Integration side panel that opens, select Custom Webhook.
Custom Webhook button Fill in the fields as follows:
Name: Enter a descriptive name for this integration.
URL: Use the target endpoint identified in the previous step.
Preset Configuration: Select Splunk.
Headers: Add the following key-value pairs:
Content-Type
:application/json
Authorization
:Splunk <HEC Token>
Completed fields in the integration Click Test to verify the webhook:
If successful, you will see "Testing completed successfully!".
If the test fails:
Click Save to save the integration.
Reopen the integration and test it again.
Verify that the HEC target and token are correct.
If the test still fails, contact ThousandEyes support.
Click Save.
Apply the webhook to existing alert rules using the Manage Alert Rules panel.
Receive Alerts in Splunk
Log in to Splunk.
When an alert is triggered, search for the event using the following query:
index="*" eventType="THOUSANDEYES_ALERT_NOTIFICATION"

Sample Output:
{
"eventId": "0-0",
"eventType": "THOUSANDEYES_ALERT_NOTIFICATION",
"id": "0",
"type": "2",
"accountId": "0",
"orgId": "0",
"testId": "0",
"thousandeyes_test_id": "0",
"test_description": "Sample Description",
"test_type": "HTTP",
"itsiDrilldownURI": "https://app.thousandeyes.com/view/cloud-and-enterprise-agents/?testId=0",
"severity_id": "1",
"vendor_severity": "INFO",
"app": "THOUSANDEYES",
"src": "Sample Target",
"signature": "Sample Rule",
"alert_type": "Http",
"alert": {
"id": "0",
"type": "Http",
"severity": "INFO",
"test": {
"name": "Sample Test"
},
"targets": [
"Sample Target"
],
"rule": {
"id": "0",
"name": "Sample Rule",
"expression": "Response Time ≥ 111 ms",
"notes": "Sample Notes"
},
"triggered": 1738322223247,
"cleared": 1738322223247,
"details": [
{
"metricsAtStart": "Response Time: 888 ms",
"source": {
"id": "0",
"name": "Sample Agent 1"
}
},
{
"metricsAtStart": "null",
"metricsAtEnd": "Response Time: 999 ms",
"source": {
"id": "0",
"name": "Sample Agent 2"
}
}
]
}
}
Integration with Splunk IT Service Intelligence
Some fields, such as itsiDrilldownURI
and app
, are required for Splunk IT Service Intelligence (ITSI) application. Splunk ITSI will receive ThousandEyes alerts, analyze them, and aggregate them with other events.
For more information on configuring webhooks, see Custom Webhooks.
Last updated