I got the slack add-on from Function 1 and I put it on my forwarder. I had to use a legcy token, but when I start I get this error:
An error occurred updating credentials. Please ensure your user account has admin_all_objects and/or list_storage_passwords capabilities. Details: 'NoneType' object has no attribute 'storage_passwords'
all I configured was the token and max_days.
First, check if you have those capabilities,
Second, use this app https://splunkbase.splunk.com/app/2878/
Third and last, use WebHook on your slack.