Modular Alerts
With the release of Splunk 6.3 comes an exciting new feature called Modular Alerts.
Historically the alerting actions in Splunk have been limited to Email, RSS and if you wanted to perform some custom alerting functionality then you could execute a Custom Script.
Whilst many Splunk Ninjas over the years have accomplished all sorts of amazing Kung Fu by wrangling with custom alerting scripts , they are ultimately not the most optimal approach for users and developers.
- manual setup
- no configuration interface
- need file system access
- loosely coupled to Splunk
- no common development or packaging standard
So what if you want more alerting actions that you can plugin and present as first class alerting actions in your Splunk instance.
Well , this is what Modular Alerts allow you to do. A new framework in Splunk 6.3 for developers to build,package and publish alert action extensions for native integration into Splunk.
SMS as an alerting channel
So I decided to learn by doing and dive in and build a Modular Alert. And what better channel to consider for alerting than SMS.It is relatively instant , it is ubiquitous , it is simple, it is concise. A lot of mission critical proactive information can be contained in those 160 characters that might just save your skin.
There are many possible ways to go about implementing sending SMS messages , but I wanted to leverage a proven SMS platform with a simple and intuitive developer interface that would allow for creating 1 SMS Modular Alert that could be seamlessly utilized by all Splunk users.
Twilio
Twilio have a cloud communications platform that provides services for many different channels such as voice , messaging and video.
You can read more about their messaging functionality here.
Furthermore, their excellent Developer API makes it very simple to write a Modular Alert that interfaces with their SMS sending REST endpoint in a manner that is secure , scalable and resilient.
Twilio SMS Alerting Modular Alert
You can download the freely available Twilio SMS Modular Alert from Splunkbase
Simply untar the release to your SPLUNK_HOME/etc/apps directory and restart Splunk.
Setup a Twilio Account
In order to use the Twilio SMS Alert Action , you will first need to sign up for an account at Twilio.
Once your Twilio account is setup you will then be able to obtain your Auth Token and Account SID from your Twilio profile which your Splunk admin will need to configure the Modular Alert.
Configure Global Settings
Once you have restarted Splunk you can then navigate to Settings -> Alert Actions to configure the Twilio SMS Alert Actions global settings.
Click on “Setup Twilio SMS Alerting” and enter your credentials from your Twilio account. From this view you can also access any logging for the Modular Alert that you could use to debug any runtime errors you may encounter.
Save these admin level settings.The users of this Splunk instance will now have a Twilio SMS Alert Action available to them.
Create an SMS alert
It is very simple to create an SMS alert. Execute a Splunk search in the Search & Reporting App and then click on Save As -> Alert. If you then click on “+Add Actions” you will see an option presented for Twilio SMS Alerts.Select this and the fields for entering the SMS details will appear.
Enter the relevant parameters for your SMS alert and save it. That’s all there is to it. Your SMS Alert is now wired up and waiting to be triggered. Now go get your phone !
More Information
If you are a developer that is interested in creating your own Modular Alerts and sharing them on Splunkbase , then here are some useful resources to get you going.
And of course you can look at the code inside of the Twilio SMS Modular Alert as a good reference to follow also.
Happy Alerting !!