- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: Slack Webhook Alert
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Slack Webhook Alert
Hello Experts,
Version : Splunk Enterprise 7.0.2
We have configured alerts from scheduled search which successfully sends alerts to slack.
Using "Slack Webhook Alert" with $result.fieldname$ .
Currently we have a problem of formatting the appearance of message in slack.
Please provide some documents or resources where the formatting in splunk can be done,so that the message looks good in slack.
Thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Slack's official formatting guide is a good resource.
https://get.slack.help/hc/en-us/articles/202288908-Format-your-messages
For example, you can create bold, ~strikethrough~ or italic text, >quotes, or code blocks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
With \n i could not get the line brake.
I have used "Line1.\nLine2" and also Line1.\nLine2 in Slack Message of Slack Webhook Alert.
Thank you for the help.
Could you please help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Don't use \n.
If you're editing through the GUI, you can just hit return to add a line break. If you're editing the conf file directly, add a \ and then a newline like so:
slack_message = New alert fired:\
$result.interestingField$
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am editing through the GUI.
My Splunk query generates the following output. All the hosts in one line. The output is dynamic, the values and the count will vary.
Header
/host1 /host2 /host3 /host4 /host5
My requirement is to show each host in a new line. So that the output looks as below:-
Header
/host1
/host2
/host3
/host4
/host5
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can use a rex command in your search to convert the spaces in this field into newlines, which should translate to newlines in Slack:
.... | rex mode=sed field=myfield "s/ /\n/g"
Of course, replace "myfield" with the name of the field containing the list of hosts.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So build on what @sjodle suggests here's what works best for me when I want to list a set of hosts to list in a slack window with carriage returns after each name.
- add space to the end of host name
- create new field name affected_hosts using values(host) so we have one field with all host names
- modify the new field to replace spaces with carriage return
- finally: use the field $result.affected_hosts$ in your slack message
<your search here>
| eval host=host+" "
| stats values(host) as affected_hosts
| rex mode=sed field=affected_hosts "s/ /\n/g"
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
