This article describes how to quickly check and monitor Splunk log on Lark.
Splunk Connector is the official app provided by Lark Technology, helping you seamlessly check and monitor the log information in Splunk on Lark, as well as quickly solve problems in product development. Entering "search XX" or "search saved XX" in the chat box of Lark, you can quickly find related log information. Meanwhile, after the webhook obtained from Splunk Connector is configured into splunk, you will receive a notification on Lark when a new alert occur.
Note: Splunk Connector can be used only when Administrator has got the app for the enterprise in the App Directory, and has enabled it in Lark Admin.
1. Configure Splunk Connector
- •Enter Lark, search for Splunk Connector in the search bar at the upper left corner, click Configure in the chat box with Splunk Connector, and the app configuration sidebar will be open.
- •After obtaining and filling in Splunk Token, Host, Port and Splunk Url, click Save to complete the configuration.
2. Splunk Token Obtain Splunk Token
- •Log in to the Splunk website, open Settings at the homepage, and click Tokens in the Add Data tab.
- •Click New Token to open a popup to create a token.
- •Fill in the details of token, and please notice: Audience and User must be consistent; Expiration and Not Before are not required and can be ignored.
- •Click Create, and you can find the content of Splunk Token in the Token box.
3. Obtain Port
- •Open Settings at the homepage of Splunk website, and click Server settings in the Add Data tab.
- •Enter Server settings and click General settings.
- •In the page of General settings, you can find the port in the Management port box.
4. Obtain Splunk URL
- •The first part of the Splunk address is the Splunk URL, i.e. http://129: 211.92.66: 8000
5. Obtain Host
- •The IP domain name part of the Splunk URL is the Host, i.e. : 22.214.171.124
You can configure the webhook in Lark to Splunk. When an alert message occurs in Splunk, you will receive a reminder in Lark.
1. Obtain Webhook
- •Enter Lark, enter get_webhook in the chat box with Splunk Connector, and you can get the webhook address.
2. Restart Splunk
- •Click Settings at the homepage of Splunk website, and click Server controls in the Add Data tab.
- •Enter Server controls page, and click Restart Splunk.
3. Configure Webhook
- •Click Settings at the homepage of Splunk website, and click Searches, reports, and alerts in the Add Data tab.
- •Enter Searches, Reports, and Alerts page, and click New Alert to open a popup.
- •In the popup of Create Alert, fill in Title, Description and Search, while the content in Search here is the statement that executes the search command. Select Webhook Alert Action (alert_webhook) in App, and refines the configuration of executing search and Trigger Condition.
- •Click + Add Actions and select Webhook.
- •Paste the Splunk Webhook obtained from Lark in URL, and click Save.
- •When new alerts occur in Splunk, you can receive real-time notifications on Lark.
1. Check log via private chat
- •Open a chat with Splunk Connector and enter "search XX" (i.e. search source = "info.log" | timechart count) to quickly find the log in Lark.
- •Enter "search saved XX"(i.e. search saved Messages by minute last 3 hours) to search the saved commands in Lark.
2. Check log via group chat
- •Open the group chat, click Settings, and click add Bot in the BOTs tab to add Spluck Connector into the group chat.
- •Insert @ Splunk Connector, and enter"search XX"(i.e. @Splunk assistant search source = "info.log" | timechart count) to quickly find the log in Lark
- •Insert @ Splunk Connector, and enter “search saved XX” (i.e. search saved Messages by minute last 3 hours) to search the saved commands in Lark.
Q: How to check the saved searches?
A: Enter the homepage of Splunk website and click Search & Reporting page.
Click Reports to find the current saved searched.