All Apps and Add-ons

How can I create a Splunk alert that posts in Slack channel and has a user group (example: @team) so a badge appears on the channel for the user group members?

mrivera_2
Engager

I am looking to create a Splunk alert that posts to the Slack channel and mentions a particular user group so a badge appears next to the channel for all members of that particular group. For example: If the alert says 'host is down', I want the user group @prodSA to be mentioned in the alert so they get a badge next to the channel.

mahegstrom
Explorer

If you are looking to @ a user group within the Slack alert, I found this in the Slack API docs. Tested and confirmed, it works. https://api.slack.com/reference/surfaces/formatting#linking_to_channels_and_users

To mention a user group in app-published text, you need to provide the group ID in the following general syntax:

`<!subteam^ID>`

!subteam^ is a literal string that should not change, but ID should be replaced with the actual user group ID. Here's an example:

Hey <!subteam^SAZ94GDB8>, there's a new task in your queue.

Your app can get this group ID from the Event API payload sent when one of the subteam event types occurs, or by looking them up via the usergroups.list Web API.

You can also manually retrieve a specific user group's ID from the URL shown when viewing its profile (highlighted here):

mahegstrom_0-1654640479426.png

When text containing the user group mention syntax is published by an app, the ID will be automatically converted to show the name of the user group.



0 Karma

burwell
SplunkTrust
SplunkTrust

Aha! : https://api.slack.com/docs/message-formatting#linking_to_channels_and_users

You need to put <@user>

So what you can do is to set a field.. like eval person_to_notify="<@foo>" (or however you will determine the correct person).

And then in the alert use $result.person_to_notify$

I just tested and once the user name was in <@user> I got the alerts. Thanks for raising the issue.

vgiri8
Path Finder

For the userid use below steps to get the id, it is not same as channelID. You need to get the memberID

https://api.slack.com/reference/surfaces/formatting#mentioning-users

Screenshot 2022-09-15 at 08.23.33.png

0 Karma

nick405060
Motivator

Thank you!!

0 Karma

nick405060
Motivator

Another option, if you just want to mention the people statically/directly in the alert body, just use @burwell's solution of the carrots like so:

channel: #mychannel
message: Hi, this is an alert from Splunk. <@member1> <@member2> please responded as quickly as possible

and that successfully mentions them instead of just putting the @member1 @member2 as strings.

nick405060
Motivator

I have the same issue. We have critical alerts that we need to send out that explicitly mention certain members with the @ symbol so that they get push notifications on their phones. Is there a way to do this?

"@member1 @member2 @member3" does not work if you put them into "channel name" to DM those three members, nor does it work using commas, nor does it work if you create a Slack channel and send to it and then mention the members. In the latter case "@member1" is just shown as a string and is not an actual mention. Unless I'm wrong, you can't create a channel in Slack that defaults to sending push notifications.

There is one way to achieve the solution, but it involves setting up a separate alert DMing each individual. With 10 people that we need to notify, multiple critical alerts that need push notifications, and frequent modifications, that's not really feasible.

0 Karma

mwdbhyat
Builder

There are some Slack apps that may be able to help with this..

https://splunkbase.splunk.com/app/2878/
https://splunkbase.splunk.com/app/3525/

0 Karma

nick405060
Motivator

I downvoted this comment because the answer doesn't actually address the question and is extremely unhelpful. The asker has the Slack app installed, but he isn't sure how to create a mention inside the actual alert

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...