All Apps and Add-ons

Slack Webhook Alert

biec1
Explorer

Hello Experts,

Version : Splunk Enterprise 7.0.2

We have configured alerts from scheduled search which successfully sends alerts to slack.
Using "Slack Webhook Alert" with $result.fieldname$ .

Currently we have a problem of formatting the appearance of message in slack.
Please provide some documents or resources where the formatting in splunk can be done,so that the message looks good in slack.

Thank you.

Tags (1)

sjodle
Path Finder

Slack's official formatting guide is a good resource.

https://get.slack.help/hc/en-us/articles/202288908-Format-your-messages

For example, you can create bold, ~strikethrough~ or italic text, >quotes, or code blocks.

0 Karma

biec1
Explorer

With \n i could not get the line brake.
I have used "Line1.\nLine2" and also Line1.\nLine2 in Slack Message of Slack Webhook Alert.
Thank you for the help.

Could you please help.

0 Karma

sjodle
Path Finder

Don't use \n.

If you're editing through the GUI, you can just hit return to add a line break. If you're editing the conf file directly, add a \ and then a newline like so:

slack_message = New alert fired:\
$result.interestingField$
0 Karma

biec1
Explorer

I am editing through the GUI.

My Splunk query generates the following output. All the hosts in one line. The output is dynamic, the values and the count will vary.
Header
/host1 /host2 /host3 /host4 /host5

My requirement is to show each host in a new line. So that the output looks as below:-

Header
/host1
/host2
/host3
/host4
/host5

0 Karma

sjodle
Path Finder

You can use a rex command in your search to convert the spaces in this field into newlines, which should translate to newlines in Slack:

.... | rex mode=sed field=myfield "s/ /\n/g"

Of course, replace "myfield" with the name of the field containing the list of hosts.

0 Karma

burwell
SplunkTrust
SplunkTrust

So build on what @sjodle suggests here's what works best for me when I want to list a set of hosts to list in a slack window with carriage returns after each name.

  1. add space to the end of host name
  2. create new field name affected_hosts using values(host) so we have one field with all host names
  3. modify the new field to replace spaces with carriage return
  4. finally: use the field $result.affected_hosts$ in your slack message

 

<your search here>
| eval host=host+" "
| stats values(host) as affected_hosts
| rex mode=sed field=affected_hosts "s/ /\n/g"

 

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...