All Apps and Add-ons

MS Teams Alert Action - failures after upgrade from 1.0.11 to 1.0.18


Hi all,

I recently had our MS Teams Alert Action addon upgraded from 1.0.11 to 1.0.18, and have been seeing errors with older alerts due to a missing parameter, this one:


What indicates this missing parameter failure is this error message in the MS Teams App → Logging Reports → MS Teams - modular action failures  menu that contains this:

signature="Error: 'in <string>' requires string as left operand, not NoneType. Please double check spelling and also verify that a compatible version of Splunk_SA_CIM is installed." action_name="ms_teams_publish_to_channel"


The fix appears to be going in to the MS Teams action through the alert interface, and toggling the field ordering dropdown, this adds the missing parameter.  

Is there a way to review all the existing alerts in my Splunk Cloud instance, and check for a missing parameter?


Thanks in advance,



Labels (1)
0 Karma


From March 3rd onward we kept receiving this message in every MS Teams alert that was sent: "Important: Your connector is running on old configuration. Navigate to connector configuration window to update to new configuration."

So finally I decided to update to version 1.0.19  and now zero messages are being sent. I see this in the log: " | Customized key can not be found"...

Anyone an idea?

0 Karma


I found an older work around, that apparently should fix this issue also 😀:

"Make sure you run the latest version (so redo the upgrade if you downgraded (downgrade did not fix it by the way))

Then for each alert that has the alert action, just go to:

Settings / Searches, reports and alerts / < the alert> 

Then click on edit and just save it (without modifying anything), Splunk will add the missing parameters automatically.

This is due to a much earlier feature change which causes issues for older alerts that were created before the feature was introduced"

Hope this helps for others that made a recent upgrade from a somewhat older version that was still affected by this.


I used this query to list all the scheduled searches (alerts) I had in Splunk using the MS Teams alert action:


| rest /services/saved/searches | search action.ms_teams_publish_to_channel=1 disabled=0 
| table title author disabled action.ms_teams_publish_to_channel.param.alert_ms_teams_activity_title action.ms_teams_publish_to_channel.param.alert_ms_teams_fields_list, action.ms_teams_publish_to_channel.param.alert_ms_teams_fields_order 
| sort disabled 
| where isnull('action.ms_teams_publish_to_channel.param.alert_ms_teams_fields_order')


Since I couldn't figure out a way to get the name of the scheduled search (for the REST query), I updated all alerts that were missing the parameter by hand, and set the ms_teams_fields_order parameter.

if there is an easier way, or if anyone knows how to get the name of the alert (for REST endpoints, not the alert title), please let me know.



0 Karma
Get Updates on the Splunk Community!

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more with ITSI’s ...

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more! Faster Time to ValueManaging and ...

New Release | Splunk Enterprise 9.3

Hi Splunky people! We are excited to share the newest updates in Splunk Enterprise 9.3!Admins and Analyst can ...

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...