I'm currently indexing events from a slack team, i am indexing data from differents channels... But not all channels, I saw ir the channels that i want to Index are private on slack, but they ate not private. I am indexing from 375 channels but not from the one that i want. I guess that this is a slack restriction... Can someone oficina you help this soul?
The Splunk account needs to be the Super (World?) admin(Highest level) otherwise it can only read its own messages. Alternatively, it can be a member of a group. A bit of a pain really.
@joseft I made this integration with admin level but I am not seeing any messages from Slack public channels to splunk
Start small, send a message from Slack to the Splunk user. The Slack permissions are a bit of a pig. I believe there was a call back that you had to do the first time - sort of a 2 step authentication.
Start by taking Splunk out of the equation and use postman to test it (It has a faster turn around). Its been a while but I think that the Slack was more flexible if done as a REST API
The documentation states that you need the following scopes:
admin
channel.history
In fact you also need:
channels:read
users:read
team:read
To test what is going on, you need postman (The app error messages are as good as the documentation) Test the api calls listed in slack_messages.py and slack_logins.py (look for api_call) . Then get the examples from https://api.slack.com/methods and your are set.
"Other that that Mrs. Lincoln, how did you enjoy the play"
Hi @joseft,
i have created the slack custom app and gave the scope channels:history and using the slack app for splunk add-on, i installed it on SH and configured the data input slack:messages but i am not seeing any events from slack. while i creating the input in splunk, i gave the OAuth token, index, sourcetype and initial days to load the data.
Can you please help me out on this, if anything else needs to be configured.
Thanks