All Apps and Add-ons

Microsoft Teams messages publication addon does not create potential action button

david_peacock
Explorer

Hi All, 

I've just installed and been testing the Microsoft teams messages publication addon (4855 by @guilmxm ). It generates alerts in teams fine, but I cannot get it to output a potential action to link back to the splunk results.

My configuration is as follows

Message Activity Title: Alert: $name$ - $job.resultCount$ events
Message fields list: API_APPLICATION, API_ENDPOINT
OpenURL Potential Action Name: View in Splunk
OpenURL Potential Action URL: $results_link$

potentialActionConfig.PNG

 

This results in a card which looks like this, with no action button

potentialActionResult.PNG

I don't know where the "E" and "P" are coming from. I've played about with the settings in a number of ways, but cannot get an action to appear. Perhaps I'm missing something. Nothing notable is shown in the log. 

If anybody has ideas or a working configuration they can share with me, that would be great. 
Thank you

Labels (2)
0 Karma
1 Solution

guilmxm
SplunkTrust
SplunkTrust

Hi @david_peacock 

Right I get the point now, and yes indeed the alert action (that message you see) will not allow you to add an action link that is using http non SSL.

This is required for Splunk Cloud compliancy purposes I am afraid, otherwise the Add-on could not be allowed to be deployed on Splunk Cloud.

Unchecking the SSL will not help as it is relevant for the target of the Webhook only, not the links you add in the action buttons.

I would say that your fix is easy, run Splunk in https, no one should never run Splunk in non SSL for Splunk Web.
You can even use the generated SSL cert if you can't have one, it's always better than being in HTTP.
And it's a 2 minute fix.

Guilhem


 

View solution in original post

guilmxm
SplunkTrust
SplunkTrust

Hi @david_peacock 

I believe this is linked to your fields being multi-value fields.

If you end up your search for example with:

 

| foreach API_APPLICATION, API_ENDPOINT [ eval <<FIELD>> = mvjoin('<<FIELD>>', "|") ]

 

This would ensure that if you have a multivalue field, these will be managed as a pipe separated list of values instead.

Secondly, for the action button the token may not be resulting in any value which is why the Addon strips it automatically, I would advise you to try to provide a static URI to a dashboard or a report instead to verify.

Let me know

Guilhem

david_peacock
Explorer

Thank you @guilmxm  for your very fast response. 

Your multi-value field suggestion, adding the join, stopped the "E" and "P" appearing on the card. 👍

However changing the "OpenURL Potential Action URL" to a static address, still does not show an action button.  

Actually I can add the $results_link$ tag to the title and it correctly expands to a valid URL. It must be for some other reason that the button does not show. 

I can POST the following to the webhook and the open url button works correctly. 

 

    "potentialAction": [{
       "@type": "ActionCard",
       "name": "View Results in Splunk",
       "actions": [{
            "@type": "OpenUri",
            "name": "View in Splunk",
            "targets": [
                { "os": "default", "uri":"http://splunk-test" }
                    ................

 

If I don't supply the "os": "default" it does not work. I cannot see the body the add-on is sending as my locked down environment does not allow me to send it to another webhook like "webhook.site".

Do you have any other ideas? 
Thank you. 

 

0 Karma

guilmxm
SplunkTrust
SplunkTrust

@david_peacock 

Right, odd, there seem to be thing in your context.

Please enable the DEBUG mode in the logging level of the addon, then if you get the alert to trigger, you will see in the logs the JSON data that is being sent to the API then we can compare.

I shall try to have a look when possible, however as far as I knew it was always worked perfectly fine unless MS changed a thing but that'd be surprising.

guilmxm
SplunkTrust
SplunkTrust

@david_peacock 

The following is an example of a rest call data sent:

{
  "@type": "MessageCard",
  "@context": "http://schema.org/extensions",
  "themeColor": "0076D7",
  "summary": "MS teams addon testing please ignore",
  "sections": [
    {
      "activityTitle": "MS teams addon testing please ignore",
      "activitySubtitle": "",
      "activityImage": "https://www.google.com/peralert",
      "facts": [
        {
          "name": "apple",
          "value": "This is an apple"
        },
        {
          "name": "bad",
          "value": "\\\\n"
        },
        {
          "name": "kiwi",
          "value": "This is a kiwi"
        },
        {
          "name": "mango",
          "value": "And I likes mango too"
        },
        {
          "name": "message",
          "value": "Test!"
        },
        {
          "name": "pears",
          "value": "This is a pear"
        },
        {
          "name": "ziziphus",
          "value": " No idea found in the Internet and start by Z!"
        }
      ],
      "markdown": false
    }
  ],
  "potentialAction": [
    {
      "@type": "OpenUri",
      "name": "Open first action",
      "targets": [
        {
          "os": "default",
          "uri": "https://www.splunk.com"
        }
      ]
    },
    {
      "@type": "OpenUri",
      "name": "Open Second action",
      "targets": [
        {
          "os": "default",
          "uri": "https://www.google.co.uk"
        }
      ]
    },
    {
      "@type": "HttpPOST",
      "name": "test ack",
      "target": "https://www.google.co.uk/post"
    }
  ]
}

david_peacock
Explorer

Putting it in debug has revealed the problem is with my URL not being https

2020-10-09 14:15:42,290 WARNING pid=85256 tid=MainThread file=cim_actions.py:message:243 | sendmodaction - signature="the potential action URL configured does not target an https site, which is required for compliance purpose, the potential action has been disabled automatically."

Because our splunk is internal only, it's only running http. I've tried unchecking the "SSL Certificate Validation" option in the configuration, but it seems that this is relates only to the webhook. 

Any chance there is an option or file change I can make to allow actions to plain http?

Thank you.

0 Karma

guilmxm
SplunkTrust
SplunkTrust

Hi @david_peacock 

Right I get the point now, and yes indeed the alert action (that message you see) will not allow you to add an action link that is using http non SSL.

This is required for Splunk Cloud compliancy purposes I am afraid, otherwise the Add-on could not be allowed to be deployed on Splunk Cloud.

Unchecking the SSL will not help as it is relevant for the target of the Webhook only, not the links you add in the action buttons.

I would say that your fix is easy, run Splunk in https, no one should never run Splunk in non SSL for Splunk Web.
You can even use the generated SSL cert if you can't have one, it's always better than being in HTTP.
And it's a 2 minute fix.

Guilhem


 

View solution in original post

.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!