I'm currently indexing events from a slack team, i am indexing data from differents channels... But not all channels, I saw ir the channels that i want to Index are private on slack, but they ate not private. I am indexing from 375 channels but not from the one that i want. I guess that this is a slack restriction... Can someone oficina you help this soul?
Start small, send a message from Slack to the Splunk user. The Slack permissions are a bit of a pig. I believe there was a call back that you had to do the first time - sort of a 2 step authentication.
Start by taking Splunk out of the equation and use postman to test it (It has a faster turn around). Its been a while but I think that the Slack was more flexible if done as a REST API
The documentation states that you need the following scopes:
In fact you also need:
To test what is going on, you need postman (The app error messages are as good as the documentation) Test the api calls listed in slack_messages.py and slack_logins.py (look for api_call) . Then get the examples from https://api.slack.com/methods and your are set.
"Other that that Mrs. Lincoln, how did you enjoy the play"
i have created the slack custom app and gave the scope channels:history and using the slack app for splunk add-on, i installed it on SH and configured the data input slack:messages but i am not seeing any events from slack. while i creating the input in splunk, i gave the OAuth token, index, sourcetype and initial days to load the data.
Can you please help me out on this, if anything else needs to be configured.