Hi Guys !!
Today we will discuss an interesting topic in this blog, where we will show you how we can send splunk alert directly to your Telegram group chat.
So, let’s start.
First let’s see the stuffs we need to do from Telegram side.
First we will create a Telegram bot by messaging BotFather.
You can search for the link botfather to get the page from where you can redirect to message BotFather.
If you don’t have Telegram desktop,then click on don’t have telegram yet? as shown in above image and install it. after clicked on the “SEND MESSAGE”, so we got the pop up where we opened the “Telegram Desktop app”.
Once, we get the chat box of BotFather, we will click on the “START” option.
We will message /newbot to BotFather in Telegram to create a new bot.
Now, as per the message we got from BotFather, we will choose a name for our new bot.
Here, we have given the bot name as testbot [You can choose any name to the bot].
Now, as per the message form BotFather, we will choose a username for our bot.
Here, we have chosen the username as testbotnewuser_bot [You can choose any name, but make sure the user name must end with bot].
Now, the message we have got from the BotFather, we will note down the Token to access HTTP API, because that we will use to achieve our requirement.
Now, we will create a group in telegram with the “testbot” and with all the contacts whom we want to send the splunk alert.
So, here we have created a group named “Splunk Alert Notification”, where we have added the “testbot” for now, you can definitely add required contacts.
Here, the two members are, testbot and the admin of this group.
Now, you have to send at least one message to the group “Splunk Alert Notification” and we will get the chat Id, which will be required to achieve our requirement.
We, have send “Hi” [You can send any message].
Now, to get this Chat Id, search for the link,
[In the place of “XXXX:YYYYY”, add the HTTP API token of the “testbot”, like we did].
As, you can see in the below image we can see the chat id is “-538117559”.
Now, you need to download and Install the “Telegram Alert Action” app from splunkbase. We have downloaded it.
Now, we will create an alert with the below query,
index=_internal sourcetype=splunkd_ui_access | stats count(eval(status=404)) as “Page Not Found count”
In this query, we have used “_internal” index and “splunkd_ui_access” sourcetype. Then we have used “stats” and “eval” command to get the count of “status” field value “404”.
Now, click on the “Save As” and click on “Alert”.
Here, in Title we have given “Splunk Alert in Telegram” [You can give any relevant title of the alert].
The Permission we have changed to App sharing [You can keep the permission according to your necessity].
The Cron we have set to run the alert for every 5 minutes [You can keep the cron according to your necessity].
Now, in the Trigger Condition we have given “search status_404_count > 0” [You can keep the condition according to your necessity].
Step 14: Now, in the Add Actions, we will select “Add to Triggered Alerts” and click on Save.
After saving the alert, check it’s triggered or Not. Once it triggered, click on edit button to edit the alert and in add actions, select “Telegram Alert Action” as shown in below image.
Now, we will configure the “Telegram Alert Action”.
In the Event Title, we have given $name$, which will give the Alert name.
Now, in message section, we have given The count of 404 Status code is “$result.status_404_count$”.
The Severity, we kept medium.
The Bot ID is nothing but the HTTP API token, we got while creating the “testbot” in Step 6.
So, we have given, 1621562903:AAFB3G5al_MqvZmNDd9dzZCv9LKnwkKMrCg
The Chat ID is the ID, we got at Step 8. So, we have given,
Now, click on “Save” to save the changes.
Now, as you can see we are getting the triggered alert message in Telegram in “Splunk Alert Notification” group.
Hope you have enjoyed this blog, we will come back with new topics of Splunk. Until then goodbye and stay safe and strong.
Happy Splunking !!