Skip to main content

Introduction

The Splunk integration connects Rootly with Splunk Enterprise or Splunk Cloud so teams can receive alerts from saved searches as Rootly alerts and trigger on-call paging directly from Splunk alert actions. With the Splunk integration, you can:
  • Forward Splunk saved search alerts to Rootly as alerts
  • Page Rootly on-call targets directly from Splunk alert actions
  • Use alert workflows to create incidents and automate follow-up actions from Splunk search results

Before You Begin

Before setting up the integration, make sure you have:
  • A Rootly account with permission to manage integrations and alert sources
  • Splunk Enterprise or Splunk Cloud with admin access to install apps on search heads
  • The integration URL or key from your Rootly Splunk alert source settings
The Rootly Splunk app must be installed on your search heads. It does not need to be installed on indexers or forwarders.

Installation

Create a Splunk alert source in Rootly

Navigate to Settings > Alert Sources in Rootly and create a new alert source. Select Splunk and give it a descriptive name.Copy the integration URL or integration key shown after saving — you will need this when configuring the Splunk app.

Install the Rootly app in Splunk

Install the Rootly app from Splunkbase:Rootly App on SplunkbaseInstall the app via Splunk Web Admin on your search heads.
The app must be installed on search heads. Alerts in Splunk are triggered from search heads, so the Rootly alert action will not be available unless the app is installed there.

Configure the Rootly app

After installation, configure the Rootly app using the integration URL or key from your Rootly alert source settings.
Use the full integration URL if prompted, or the integration key alone depending on the app version. Both are available from your Rootly Splunk alert source settings.

Add the Rootly alert action to a saved search

In Splunk, open a saved search and navigate to its Alert Actions. Add the Rootly action and configure it to forward alerts when the search fires.
You can configure different saved searches to route to different Rootly on-call targets by using separate alert sources or by including notification target parameters in the action configuration.

How Alerts Are Mapped

Rootly extracts the following fields from each Splunk alert payload:
  • Summary — the search_name field (the name of the saved search that fired)
  • External ID — the sid (search ID), used to identify the alert
  • External URL — the results_link, linking back to the Splunk search results
  • Started at — the result._time field, parsed as a Unix timestamp
The Splunk search_name becomes the alert summary in Rootly. Use descriptive saved search names to make it easy to identify alerts in Rootly workflows and the alert feed.

Troubleshooting

Confirm the Rootly app is installed on the search head where you are configuring the saved search. The alert action is only available on nodes where the app is installed.
Verify that the integration URL or key configured in the Rootly app matches what is shown in your Rootly Splunk alert source settings. Check the Splunk alert action logs for delivery errors.

Uninstall

To remove the Splunk integration, open the integrations panel in Rootly and select Configure > Delete. You can also uninstall the Rootly app from Splunk Web Admin.