All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk Alert to MS Teams Is not Working

juliennerocafor
New Member
‎04-28-2020 11:38 PM

Hello, I'm new to Splunk and I am trying to send some alerts to MS Teams. My alert runs every 5 minutes.

alt text

I already installed the Microsoft Teams Webhook Alert Connector & Microsoft Teams Alerts in my Splunk Enterprise. I created a webhook in my MS Teams and added that to my Alert in Splunk although I'm still not receiving anything. On the other hand, I was able to get alerts from the Triggered Alerts.

alt text

Anything I missed on doing? Thank you in advanced for any help!

Preview file
43 KB
Preview file
46 KB
0 Karma
Reply

kd007
New Member
‎04-29-2020 06:38 AM

Hi juliennerocafort!
There are problems with two of the fields in the action:

  1. "Card Image URL" cannot be blank - make sure an image of some sort is in here. Needs to be a .PNG file and cannot be too big; not sure of the actual size limit. This can't be blank because otherwise Teams will not accept the webhook call.
  2. "Card Theme Hex Color" should not include the pound/hash (#) sign. Just put "DC143C" in this field.

Try that - that should work!

The other thing I'll suggest is to send body text with the alert. For example, using the query shown in your screenshot, pass a field called 'messagetext' to the alert. This is easily done with the strcat command like this:
source="test.log]" "error received" earliest=-5m latest=now | stats count | strcat "Error " fieldfromyoursearch " received " count " times." messagetext

To read more about the strcat command you can read Splunk's documentation here: https://docs.splunk.com/Documentation/Splunk/8.0.3/SearchReference/Strcat
You can also read our documentation on this alert action here:
https://www.groundsecurity.com/splunk-app-microsoft-teams-alert-cards/

Hope this helps - please let us know if you still have trouble getting it to work!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...