How to use Notifo to receive Splunk alerts on your iPhone

In this article I’ll describe how I use Splunk and Notifo to alert me whenever someone tries to login to my system with invalid credentials. Notifo is push-based notification service for mobile phones, in our example we’ll be using the iPhone.


  1. Setup a Notifo account.
  2. Install the Notifo app on your iPhone.
  3. Install the Python module.
  4. Install the Python alert script.
  5. Setup
  6. Setup saved search.


  • This process assumes that you’ve got Splunk installed and monitoring a file containing sshd log messages.


  1. Browse to to setup a Notifo account.
  2. Browse to, login, and visit the Settings page.
  3. Locate and record your API Secret (screenshot)
  4. From your desktop or your iPhone browse to the iTunes App Store to install and configure the Notifo app.
  5. On the system running Splunk, download and install the Python module (screenshot):
    ~$ cd /usr/local/src
    /usr/local/src$ git clone git://
    /usr/local/src$ cd
    /usr/local/src/$ $SPLUNK_HOME/bin/splunk cmd python install
  6. On the system running Splunk, download the Python alert script (screenshot):
    ~$ cd $SPLUNK_HOME/bin/scripts
    /opt/splunk/bin/scripts$ get
    /opt/splunk/bin/scripts$ get
  7. Configure with your Notifo APIUsername and APISecret (see step #3 above):
    ~$ cd $SPLUNK_HOME/bin/scripts
    /opt/splunk/bin/scripts$ mv
    /opt/splunk/bin/scripts$ vim
  8. Using the Splunk web interface, search for the term(s) you’d like to match and click Actions >> Save search… (screenshot).
  9. Enter the parameters for your Saved Search:
  10. Done!

To Test

  1. Generate some sshd log messages.
  2. You should get an alert on your iPhone like this:

Greg Albrecht

Posted by