All Apps and Add-ons

Slack Webhook Alert

biec1
Explorer

Hello Experts,

Version : Splunk Enterprise 7.0.2

We have configured alerts from scheduled search which successfully sends alerts to slack.
Using "Slack Webhook Alert" with $result.fieldname$ .

Currently we have a problem of formatting the appearance of message in slack.
Please provide some documents or resources where the formatting in splunk can be done,so that the message looks good in slack.

Thank you.

Tags (1)

sjodle
Path Finder

Slack's official formatting guide is a good resource.

https://get.slack.help/hc/en-us/articles/202288908-Format-your-messages

For example, you can create bold, ~strikethrough~ or italic text, >quotes, or code blocks.

0 Karma

biec1
Explorer

With \n i could not get the line brake.
I have used "Line1.\nLine2" and also Line1.\nLine2 in Slack Message of Slack Webhook Alert.
Thank you for the help.

Could you please help.

0 Karma

sjodle
Path Finder

Don't use \n.

If you're editing through the GUI, you can just hit return to add a line break. If you're editing the conf file directly, add a \ and then a newline like so:

slack_message = New alert fired:\
$result.interestingField$
0 Karma

biec1
Explorer

I am editing through the GUI.

My Splunk query generates the following output. All the hosts in one line. The output is dynamic, the values and the count will vary.
Header
/host1 /host2 /host3 /host4 /host5

My requirement is to show each host in a new line. So that the output looks as below:-

Header
/host1
/host2
/host3
/host4
/host5

0 Karma

sjodle
Path Finder

You can use a rex command in your search to convert the spaces in this field into newlines, which should translate to newlines in Slack:

.... | rex mode=sed field=myfield "s/ /\n/g"

Of course, replace "myfield" with the name of the field containing the list of hosts.

0 Karma

burwell
SplunkTrust
SplunkTrust

So build on what @sjodle suggests here's what works best for me when I want to list a set of hosts to list in a slack window with carriage returns after each name.

  1. add space to the end of host name
  2. create new field name affected_hosts using values(host) so we have one field with all host names
  3. modify the new field to replace spaces with carriage return
  4. finally: use the field $result.affected_hosts$ in your slack message

 

<your search here>
| eval host=host+" "
| stats values(host) as affected_hosts
| rex mode=sed field=affected_hosts "s/ /\n/g"

 

0 Karma
Get Updates on the Splunk Community!

Happy CX Day to our Community Superheroes!

Happy 10th Birthday CX Day!What is CX Day? It’s a global celebration recognizing innovation and success in the ...

Check out This Month’s Brand new Splunk Lantern Articles

Splunk Lantern is a customer success center providing advice from Splunk experts on valuable data insights, ...

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...