TIPS & TRICKS TIPS & TRICKS

routr : App that Shares Splunk Alerts on Social Media

What is routr ?

routr is a simple if-this-then-that workflow app to share Splunk alerts on your Twitter or Tumblr. It is easy to install, configure and run. This app is bundled together with a sample Splunk saved search that searches on failed login events to post a tweet on Twitter or an article on Tumblr whenever the alert is triggered from your Splunk instance. The search is triggered every 1 minute and looks for matching events in the relative past 1 minute.

Screen Shot 2014-08-01 at 2.07.20 AM   Screen Shot 2014-08-01 at 2.07.33 AM

Requirements to run this app ?

  1. Splunk installed
  2. Twitter and/or Tumblr account

How To Obtain Twitter OAuth And Access Tokens ?

  1. Sign up at Twitter if you are new to Twitter.
  2. Go to https://apps.twitter.com/
  3. Click at “Create New App”
  4. Fill in the form and accept the agreement
  5. Click on Permission tab. You will need to modify the app access level to “Read, Write and Access direct messages”
  6. Click API Keys tabs and then Create my access token
  7. Access token and Access token secret will be provided
  8. Click “Test Oauth” button to obtain and test Oauth authentication

How To Obtain Tumblr OAuth And Access Tokens ?

  1. Sign up at Tumblr if you are new to Tumblr.
  2. Create a Tumblr page (it should resemble uniquename.tumblr.com)
  3. Register a Tumblr application at http://www.tumblr.com/oauth/apps
  4. Go to https://api.tumblr.com/console/calls/user/info to get the oauth credentials
  5. You may try the different method calls in https://api.tumblr.com/console to test if the credentials are correct

Installation Steps

  1. If you are installing this app manually, ensure this app is unpacked in $SPLUNK_HOME/etc/apps
  2. Go to the following Splunk app endpoint /manager/routr/apps/local/routr/setup?action=edit
  3. Update the setup form with the appropriate oauth and access token credentials and click Save button
  4. Verify that the scripts tweetalert.py or tumblralert.py is moved to $SPLUNK_HOME/bin/scripts accordingly if you configure either Twitter or Tumblr credentials
  5. To confirm that this app has been successfully installed, simply copy the URL of your Splunk instance and load it in another browser. Then try with erroneous Splunk credentials in the login page
  6. If you have configured your Twitter credentials, go to your Twitter account page and you should see a tweet within 1 minute.                                                                             Screen Shot 2014-07-21 at 6.10.09 PM
  7. If you have configured your Tumblr credentials, go to your Tumblr page and you should see a Tumblr post within 1 minute.

        Screen Shot 2014-07-30 at 6.35.28 PM

How To Use This app ?

  1. Use tweetalert.py or tumblralert.py in the Alert actions when you create any Splunk Saved Search so that the alert will be posted as a tweet. To do this, enable a script and provide the file name tweetalert.py or tumblralert.py in the Alert actions

How To Troubleshoot ?

  1. Go to $SPLUNK_HOME/var/log/splunk/routr.log This log file contains application specific information
  2. Else, look at $SPLUNK_HOME/var/log/splunk/splunkd.log

About Using Cacert

  1. This app uses the cacert.pem certificate that is publicly available and obtained from http://curl.haxx.se/docs/caextract.html
  2. If you would like to generate and use your cacert, please replace the cacert.pem file in $SPLUNK_HOME/etc/apps/routr/bin and update $SPLUNK_HOME/etc/apps/routr/tweetalert.py accordingly

routr is available at http://apps.splunk.com/app/1823/ Have fun exploring this app! Let me know if you have any interesting use cases about using this app!

The information and views set out in this article are those of the author and do not necessarily reflect the official opinion of Splunk.

Levonne Key
Posted by Levonne Key

Join the Discussion