Re: Calling Fields From Alert Results to Output th...

yoshilog · ‎09-26-2021

I would like to ask about the line of code we put in the messages field in the Splunk Alert Action for Slack Notification.

$result.users$$result.message$

Here is a screenshot of the send Message plugin details that we set in a test channel.

I would like to ask why, beginning last week - all of a sudden it began displaying this in Slack:

Instead of the usual results we have that would indicate

@yoshilog "Good day.. <Blah, blah>".

So what we did is update the code, to add a whitespace in between the two result calls.

$result.users$ $result.message$

Doing so, fixed the results, and led to the expected output in our Slack test channel.

@yoshilog "Good day.. <Blah, blah>".

However, within the team, there were some questions about what had changed in the past week, that suddenly caused the alert to not post the expected output in slack. (Since no one had changed / touched the alert for a long time).

I have also gotten in touch with the plugin developer, however he has not responded so I resorted to posting here, since some Splunkers might have had some experience with the issue.

Would appreciate your ideas re: what had happened. Thank you in advance!

sdupre · ‎12-05-2021

Seems like injection. I see it too for Slack integration alert messages.

Mine is $result.requesting_server$$result.uri_path$. (trying to make a link)

Calling Fields From Alert Results to Output them in Slack

alert action

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life