Splunk Alert to Slack : Is it possible to have cer...

vincentgoh98 · ‎08-09-2022

Hi here, I am trying to build a Splunk alert with Slack, to pass a table column of value as an array of value, eg.

Result Table

===========

Field1	Field2
A1	B1
A2	B2

Expected Alert Message

===========

Field1 : ["A1", "A2"]

I am currently referencing the following documentation, with the result token $result.Field1$. However, it shows only the value on the 1st row, ie. Field1 : A1. I wonder is it possible to have the alert message done, with an array of value instead ? Thanks in advance !

https://docs.splunk.com/Documentation/Splunk/8.2.1/Alert/EmailNotificationTokens

https://github.com/splunk/slack-alerts/issues/30

Gr0und_Z3r0 · ‎04-05-2023

@vincentgoh98 @akarivaratharaj One of the ways I handled this for my Slack notifications from Splunk was to create a field with the required columns and then mvcombine them as a single field value and use this field in the alert.

It will list down items in your slack.

You can try something like this.

| makeresults count=20
| eval rand =(random() % 20)+2
|  eval field_a="A-"+rand
|  eval field_b="B-"+rand
| stats count by field_a field_b
| eval field_ab_count=field_a+" , "+field_b+" , "+count
| fields field_ab_count
| mvcombine field_ab_count

~ If the reply helps, an upvote would be appreciated

akarivaratharaj · ‎03-31-2023

I am also facing the same issue. Though my search query returns more than 1 rows of results, only the first row of result is taken by default and sent as alert notification in my Slack channel from Splunk.

But in Alert trigger actions for Email notification, we have the options to show all the results as a table format. If the same feature is available for Slack notification, it will be useful and more user readable.

Could anyone please help on finding a solution to display all the rows of results in Slack notification?

ITWhisperer · ‎03-31-2023

You potentially have a couple of options - you might be able to include a csv of the results with the trigger - you could list all the results so that they appear in the first row

| stats list(*) as *

akarivaratharaj · ‎04-03-2023

I have tried by using

| stats list(*) as *

But this had again gave me only the first row values in my alert notification on Slack.

Can you please let me know how to include the results from CSV to Slack alert notification?

ITWhisperer · ‎04-03-2023

Please explain because list(*) as * puts all the results into the first row are multi-value fields, which is what you asked for. Does the Slack alert somehow convert this to something else?

akarivaratharaj · ‎04-04-2023

@ITWhisperer Could you please let me know how to get/attach the results from a CSV file to a slack notification with all the rows of the results?

ITWhisperer · ‎04-04-2023

It doesn't look like this is possible for webhook notifications. Have you tried triggering for every result, that way you might be able to send every row (one at a time)?

akarivaratharaj · ‎04-05-2023

Yeah I am aware of the setting - "Trigger Conditions -> For each result". If the results are with 2 or 3 rows then it's fine. But what if the results are 10's and 20's. This will create a loads of alert notification entry in the specific channel. Also it won't be effective for users' readable.

My alert is set to trigger for every 15 minutes. This will create more entries for an entire day.

Is there any other way to achieve this?

akarivaratharaj · ‎04-03-2023

Yes using "list(*)", making the results of the search query to show in one single row (while running the query in a search window). Whereas when the alert is triggered and notified to a Slack channel, the notification message has only the top values of the respective fields from the list.

Splunk Alert to Slack : Is it possible to have certain table column (field) passed to the Slack alert as an array?

alert action

alert condition

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk