All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Alert to MS Teams Is not Working

juliennerocafor
New Member
‎04-28-2020 11:38 PM

Hello, I'm new to Splunk and I am trying to send some alerts to MS Teams. My alert runs every 5 minutes.

alt text

I already installed the Microsoft Teams Webhook Alert Connector & Microsoft Teams Alerts in my Splunk Enterprise. I created a webhook in my MS Teams and added that to my Alert in Splunk although I'm still not receiving anything. On the other hand, I was able to get alerts from the Triggered Alerts.

alt text

Anything I missed on doing? Thank you in advanced for any help!

Preview file
1 KB
Preview file
1 KB
0 Karma
Reply

kd007
New Member
‎04-29-2020 06:38 AM

Hi juliennerocafort!
There are problems with two of the fields in the action:

  1. "Card Image URL" cannot be blank - make sure an image of some sort is in here. Needs to be a .PNG file and cannot be too big; not sure of the actual size limit. This can't be blank because otherwise Teams will not accept the webhook call.
  2. "Card Theme Hex Color" should not include the pound/hash (#) sign. Just put "DC143C" in this field.

Try that - that should work!

The other thing I'll suggest is to send body text with the alert. For example, using the query shown in your screenshot, pass a field called 'messagetext' to the alert. This is easily done with the strcat command like this:
source="test.log]" "error received" earliest=-5m latest=now | stats count | strcat "Error " fieldfromyoursearch " received " count " times." messagetext

To read more about the strcat command you can read Splunk's documentation here: https://docs.splunk.com/Documentation/Splunk/8.0.3/SearchReference/Strcat
You can also read our documentation on this alert action here:
https://www.groundsecurity.com/splunk-app-microsoft-teams-alert-cards/

Hope this helps - please let us know if you still have trouble getting it to work!

0 Karma
Reply
Get Updates on the Splunk Community!

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Attention everyone! We have exciting news to share! We are recruiting new members for the Mission Possible: ...

Unify Your SecOps with Splunk Mission Control

In today’s post, I'm excited to share some recent Splunk Mission Control innovations. With Splunk Mission ...

Data Preparation Made Easy: SPL2 for Edge Processor

By now, you may have heard the exciting news that Edge Processor, the easy-to-use Splunk data preparation tool ...