All Apps and Add-ons

Have you ever made an integration splunk-slack?

DiegoAlba
Explorer

I'm currently indexing events from a slack team, i am indexing data from differents channels... But not all channels, I saw ir the channels that i want to Index are private on slack, but they ate not private. I am indexing from 375 channels but not from the one that i want. I guess that this is a slack restriction... Can someone oficina you help this soul?

joseft
Explorer

The Splunk account needs to be the Super (World?) admin(Highest level) otherwise it can only read its own messages. Alternatively, it can be a member of a group. A bit of a pain really.

0 Karma

Roy_9
Motivator

@joseft I made this integration with admin level but I am not seeing any messages from Slack public channels to splunk

0 Karma

joseft
Explorer

Start small, send a message from Slack to the Splunk user. The Slack permissions are a bit of a pig. I believe there was a call back that you had to do the first time - sort of a 2 step authentication.

Start by taking Splunk out of the equation and use postman to test it (It has a faster turn around). Its been a while but I think that the Slack was more flexible if done as a REST API

 

0 Karma

joseft
Explorer

The documentation states that you need the following scopes:
admin
channel.history

In fact you also need:
channels:read
users:read
team:read

To test what is going on, you need postman (The app error messages are as good as the documentation) Test the api calls listed in slack_messages.py and slack_logins.py (look for api_call) . Then get the examples from https://api.slack.com/methods and your are set.

"Other that that Mrs. Lincoln, how did you enjoy the play"

Roy_9
Motivator

Hi @joseft,

i have created the slack custom app and gave the scope channels:history and using the slack app for splunk add-on, i installed it on SH and configured the data input slack:messages but i am not seeing any events from slack. while i creating the input in splunk, i gave the OAuth token, index, sourcetype and initial days to load the data.

Can you please help me out on this, if anything else needs to be configured.

 

Thanks

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...