topic Re: Splunk Alert to Slack : Is it possible to have certain table column (field) passed to the Slack alert as an array? in Alerting

Splunk Alert to Slack : Is it possible to have certain table column (field) passed to the Slack alert as an array?

vincentgoh98 — Tue, 09 Aug 2022 15:28:40 GMT

Hi here, I am trying to build a Splunk alert with Slack, to pass a table column of value as an array of value, eg.

Result Table

===========

Field1	Field2
A1	B1
A2	B2

Expected Alert Message

===========

Field1 : ["A1", "A2"]

I am currently referencing the following documentation, with the result token $result.Field1$. However, it shows only the value on the 1st row, ie. Field1 : A1. I wonder is it possible to have the alert message done, with an array of value instead ? Thanks in advance !

https://docs.splunk.com/Documentation/Splunk/8.2.1/Alert/EmailNotificationTokens

https://github.com/splunk/slack-alerts/issues/30

Re: Splunk Alert to Slack : Is it possible to have certain table column (field) passed to the Slack alert as an array?

akarivaratharaj — Fri, 31 Mar 2023 07:27:17 GMT

I am also facing the same issue. Though my search query returns more than 1 rows of results, only the first row of result is taken by default and sent as alert notification in my Slack channel from Splunk.

But in Alert trigger actions for Email notification, we have the options to show all the results as a table format. If the same feature is available for Slack notification, it will be useful and more user readable.

Could anyone please help on finding a solution to display all the rows of results in Slack notification?

Re: Splunk Alert to Slack : Is it possible to have certain table column (field) passed to the Slack alert as an array?

ITWhisperer — Fri, 31 Mar 2023 08:31:23 GMT

You potentially have a couple of options - you might be able to include a csv of the results with the trigger - you could list all the results so that they appear in the first row

| stats list(*) as *

Re: Splunk Alert to Slack : Is it possible to have certain table column (field) passed to the Slack alert as an array?

akarivaratharaj — Mon, 03 Apr 2023 09:26:08 GMT

I have tried by using

| stats list(*) as *

But this had again gave me only the first row values in my alert notification on Slack.

Can you please let me know how to include the results from CSV to Slack alert notification?

Re: Splunk Alert to Slack : Is it possible to have certain table column (field) passed to the Slack alert as an array?

ITWhisperer — Mon, 03 Apr 2023 10:26:01 GMT

Please explain because list(*) as * puts all the results into the first row are multi-value fields, which is what you asked for. Does the Slack alert somehow convert this to something else?

Re: Splunk Alert to Slack : Is it possible to have certain table column (field) passed to the Slack alert as an array?

akarivaratharaj — Mon, 03 Apr 2023 10:40:48 GMT

Yes using "list(*)", making the results of the search query to show in one single row (while running the query in a search window). Whereas when the alert is triggered and notified to a Slack channel, the notification message has only the top values of the respective fields from the list.

Re: Splunk Alert to Slack : Is it possible to have certain table column (field) passed to the Slack alert as an array?

akarivaratharaj — Wed, 05 Apr 2023 05:37:20 GMT

@ITWhisperer Could you please let me know how to get/attach the results from a CSV file to a slack notification with all the rows of the results?

Re: Splunk Alert to Slack : Is it possible to have certain table column (field) passed to the Slack alert as an array?

ITWhisperer — Wed, 05 Apr 2023 06:29:38 GMT

It doesn't look like this is possible for webhook notifications. Have you tried triggering for every result, that way you might be able to send every row (one at a time)?

Re: Splunk Alert to Slack : Is it possible to have certain table column (field) passed to the Slack alert as an array?

akarivaratharaj — Thu, 06 Apr 2023 05:37:38 GMT

Yeah I am aware of the setting - "Trigger Conditions -> For each result". If the results are with 2 or 3 rows then it's fine. But what if the results are 10's and 20's. This will create a loads of alert notification entry in the specific channel. Also it won't be effective for users' readable.

My alert is set to trigger for every 15 minutes. This will create more entries for an entire day.

Is there any other way to achieve this?

Re: Splunk Alert to Slack : Is it possible to have certain table column (field) passed to the Slack alert as an array?

Gr0und_Z3r0 — Thu, 06 Apr 2023 06:25:55 GMT

@vincentgoh98 @akarivaratharaj One of the ways I handled this for my Slack notifications from Splunk was to create a field with the required columns and then mvcombine them as a single field value and use this field in the alert.

It will list down items in your slack.

You can try something like this.

~ If the reply helps, an upvote would be appreciated