All Apps and Add-ons
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Microsoft Teams messages publication addon does not create potential action button

david_peacock
Explorer
‎10-08-2020 04:22 AM

Hi All, 

I've just installed and been testing the Microsoft teams messages publication addon (4855 by @guilmxm ). It generates alerts in teams fine, but I cannot get it to output a potential action to link back to the splunk results.

My configuration is as follows

Message Activity Title: Alert: $name$ - $job.resultCount$ events
Message fields list: API_APPLICATION, API_ENDPOINT
OpenURL Potential Action Name: View in Splunk
OpenURL Potential Action URL: $results_link$

potentialActionConfig.PNG

 

This results in a card which looks like this, with no action button

potentialActionResult.PNG

I don't know where the "E" and "P" are coming from. I've played about with the settings in a number of ways, but cannot get an action to appear. Perhaps I'm missing something. Nothing notable is shown in the log. 

If anybody has ideas or a working configuration they can share with me, that would be great. 
Thank you

Labels (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

guilmxm
Influencer
‎10-09-2020 07:07 AM

Hi @david_peacock 

Right I get the point now, and yes indeed the alert action (that message you see) will not allow you to add an action link that is using http non SSL.

This is required for Splunk Cloud compliancy purposes I am afraid, otherwise the Add-on could not be allowed to be deployed on Splunk Cloud.

Unchecking the SSL will not help as it is relevant for the target of the Webhook only, not the links you add in the action buttons.

I would say that your fix is easy, run Splunk in https, no one should never run Splunk in non SSL for Splunk Web.
You can even use the generated SSL cert if you can't have one, it's always better than being in HTTP.
And it's a 2 minute fix.

Guilhem


 

View solution in original post

Reply
Solved! Jump to solution

guilmxm
Influencer
‎10-08-2020 05:42 AM

Hi @david_peacock 

I believe this is linked to your fields being multi-value fields.

If you end up your search for example with:

 

| foreach API_APPLICATION, API_ENDPOINT [ eval <<FIELD>> = mvjoin('<<FIELD>>', "|") ]

 

This would ensure that if you have a multivalue field, these will be managed as a pipe separated list of values instead.

Secondly, for the action button the token may not be resulting in any value which is why the Addon strips it automatically, I would advise you to try to provide a static URI to a dashboard or a report instead to verify.

Let me know

Guilhem

Reply
Solved! Jump to solution

david_peacock
Explorer
‎10-08-2020 07:54 AM

Thank you @guilmxm  for your very fast response. 

Your multi-value field suggestion, adding the join, stopped the "E" and "P" appearing on the card. 👍

However changing the "OpenURL Potential Action URL" to a static address, still does not show an action button.  

Actually I can add the $results_link$ tag to the title and it correctly expands to a valid URL. It must be for some other reason that the button does not show. 

I can POST the following to the webhook and the open url button works correctly. 

 

    "potentialAction": [{
       "@type": "ActionCard",
       "name": "View Results in Splunk",
       "actions": [{
            "@type": "OpenUri",
            "name": "View in Splunk",
            "targets": [
                { "os": "default", "uri":"http://splunk-test" }
                    ................

 

If I don't supply the "os": "default" it does not work. I cannot see the body the add-on is sending as my locked down environment does not allow me to send it to another webhook like "webhook.site".

Do you have any other ideas? 
Thank you. 

 

0 Karma
Reply
Solved! Jump to solution

guilmxm
Influencer
‎10-08-2020 08:44 AM

@david_peacock 

Right, odd, there seem to be thing in your context.

Please enable the DEBUG mode in the logging level of the addon, then if you get the alert to trigger, you will see in the logs the JSON data that is being sent to the API then we can compare.

I shall try to have a look when possible, however as far as I knew it was always worked perfectly fine unless MS changed a thing but that'd be surprising.

Reply
Solved! Jump to solution

guilmxm
Influencer
‎10-08-2020 08:54 AM

@david_peacock 

The following is an example of a rest call data sent:

{
  "@type": "MessageCard",
  "@context": "http://schema.org/extensions",
  "themeColor": "0076D7",
  "summary": "MS teams addon testing please ignore",
  "sections": [
    {
      "activityTitle": "MS teams addon testing please ignore",
      "activitySubtitle": "",
      "activityImage": "https://www.google.com/peralert",
      "facts": [
        {
          "name": "apple",
          "value": "This is an apple"
        },
        {
          "name": "bad",
          "value": "\\\\n"
        },
        {
          "name": "kiwi",
          "value": "This is a kiwi"
        },
        {
          "name": "mango",
          "value": "And I likes mango too"
        },
        {
          "name": "message",
          "value": "Test!"
        },
        {
          "name": "pears",
          "value": "This is a pear"
        },
        {
          "name": "ziziphus",
          "value": " No idea found in the Internet and start by Z!"
        }
      ],
      "markdown": false
    }
  ],
  "potentialAction": [
    {
      "@type": "OpenUri",
      "name": "Open first action",
      "targets": [
        {
          "os": "default",
          "uri": "https://www.splunk.com"
        }
      ]
    },
    {
      "@type": "OpenUri",
      "name": "Open Second action",
      "targets": [
        {
          "os": "default",
          "uri": "https://www.google.co.uk"
        }
      ]
    },
    {
      "@type": "HttpPOST",
      "name": "test ack",
      "target": "https://www.google.co.uk/post"
    }
  ]
}
Reply
Solved! Jump to solution

david_peacock
Explorer
‎10-09-2020 06:22 AM

Putting it in debug has revealed the problem is with my URL not being https

2020-10-09 14:15:42,290 WARNING pid=85256 tid=MainThread file=cim_actions.py:message:243 | sendmodaction - signature="the potential action URL configured does not target an https site, which is required for compliance purpose, the potential action has been disabled automatically."

Because our splunk is internal only, it's only running http. I've tried unchecking the "SSL Certificate Validation" option in the configuration, but it seems that this is relates only to the webhook. 

Any chance there is an option or file change I can make to allow actions to plain http?

Thank you.

0 Karma
Reply
Solved! Jump to solution
Solution

guilmxm
Influencer
‎10-09-2020 07:07 AM

Hi @david_peacock 

Right I get the point now, and yes indeed the alert action (that message you see) will not allow you to add an action link that is using http non SSL.

This is required for Splunk Cloud compliancy purposes I am afraid, otherwise the Add-on could not be allowed to be deployed on Splunk Cloud.

Unchecking the SSL will not help as it is relevant for the target of the Webhook only, not the links you add in the action buttons.

I would say that your fix is easy, run Splunk in https, no one should never run Splunk in non SSL for Splunk Web.
You can even use the generated SSL cert if you can't have one, it's always better than being in HTTP.
And it's a 2 minute fix.

Guilhem


 

Reply
Get Updates on the Splunk Community!

Fueling your curiosity with new Splunk ILT and eLearning courses

At Splunk Education, we’re driven by curiosity—both ours and yours! That’s why we’re committed to delivering ...

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Splunk AI Assistant for SPL has transformed how users interact with Splunk, making it easier than ever to ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureOn Demand Now Step boldly into the AI revolution with enhanced security ...
Top