Configuring Telegram Alerts in Splunk

Splunk integrates with Telegram nicely to provide notification capability. I took me a bit of googling to complete the configuration, so I’ve decided to outline the steps in one place.

  1. Install Telegram Alert Action — either in Splunk through Settings -> Alert actions -> Browse more, or download from and install manually.
  2. Create a Telegram bot — message @BotFather in Telegram and use /newbot command to create a new bot. You will be asked for the bot name and bot handle, which must end with bot (eg. @my_notification_bot). Take a note of your new bot’s HTTP API token.
  3. Create a new group chat in Telegram — I couldn’t create an empty group to add my bot later, and had to initially invite one of my contacts to the group, then add the bot and remove the contact. Notifications from Splunk will be sent to this group chat, so invite anybody who should be getting the alerts.
    Once you add the bot to the group chat, open the following URL in the browser (replace XXXX:YYYY with your bot API token):
    In the JSON output find the Chat ID (XXXXX below, it might be a negative number) for your notification group chat:
    "chat":{"id":XXXXXXX,"title":"Your Telegram Group Chat Name"
  4. Now you have all the info you need to configure a Splunk Telegram alert action. Edit your Splunk alert and add Telegram Alert action, specify the Chat ID and the Telegram Bot ID (bot’s API token) as noted above. Configure the message to be sent, you can use Splunk’s tokens that insert text based on the results of the search (for example, $result.src$).

You would have to do step 4 for each alert that you’d like to receive in Telegram. Be cautious with what alerts you configure to avoid alert fatigue.

Random rumblings about #InfoSec. The opinions expressed here are my own and not necessarily those of my employer.

Love podcasts or audiobooks? Learn on the go with our new app.