Hello Experts,
Version : Splunk Enterprise 7.0.2
We have configured alerts from scheduled search which successfully sends alerts to slack.
Using "Slack Webhook Alert" with $result.fieldname$ .
Currently we have a problem of formatting the appearance of message in slack.
Please provide some documents or resources where the formatting in splunk can be done,so that the message looks good in slack.
Thank you.
Slack's official formatting guide is a good resource.
https://get.slack.help/hc/en-us/articles/202288908-Format-your-messages
For example, you can create bold, ~strikethrough~ or italic text, >quotes, or code blocks
.
With \n i could not get the line brake.
I have used "Line1.\nLine2" and also Line1.\nLine2 in Slack Message of Slack Webhook Alert.
Thank you for the help.
Could you please help.
Don't use \n.
If you're editing through the GUI, you can just hit return to add a line break. If you're editing the conf file directly, add a \ and then a newline like so:
slack_message = New alert fired:\
$result.interestingField$
I am editing through the GUI.
My Splunk query generates the following output. All the hosts in one line. The output is dynamic, the values and the count will vary.
Header
/host1 /host2 /host3 /host4 /host5
My requirement is to show each host in a new line. So that the output looks as below:-
Header
/host1
/host2
/host3
/host4
/host5
You can use a rex command in your search to convert the spaces in this field into newlines, which should translate to newlines in Slack:
.... | rex mode=sed field=myfield "s/ /\n/g"
Of course, replace "myfield" with the name of the field containing the list of hosts.
So build on what @sjodle suggests here's what works best for me when I want to list a set of hosts to list in a slack window with carriage returns after each name.
<your search here>
| eval host=host+" "
| stats values(host) as affected_hosts
| rex mode=sed field=affected_hosts "s/ /\n/g"