All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Alert to MS Teams Is not Working

juliennerocafor
New Member
‎04-28-2020 11:38 PM

Hello, I'm new to Splunk and I am trying to send some alerts to MS Teams. My alert runs every 5 minutes.

alt text

I already installed the Microsoft Teams Webhook Alert Connector & Microsoft Teams Alerts in my Splunk Enterprise. I created a webhook in my MS Teams and added that to my Alert in Splunk although I'm still not receiving anything. On the other hand, I was able to get alerts from the Triggered Alerts.

alt text

Anything I missed on doing? Thank you in advanced for any help!

Preview file
1 KB
Preview file
1 KB
0 Karma
Reply

kd007
New Member
‎04-29-2020 06:38 AM

Hi juliennerocafort!
There are problems with two of the fields in the action:

  1. "Card Image URL" cannot be blank - make sure an image of some sort is in here. Needs to be a .PNG file and cannot be too big; not sure of the actual size limit. This can't be blank because otherwise Teams will not accept the webhook call.
  2. "Card Theme Hex Color" should not include the pound/hash (#) sign. Just put "DC143C" in this field.

Try that - that should work!

The other thing I'll suggest is to send body text with the alert. For example, using the query shown in your screenshot, pass a field called 'messagetext' to the alert. This is easily done with the strcat command like this:
source="test.log]" "error received" earliest=-5m latest=now | stats count | strcat "Error " fieldfromyoursearch " received " count " times." messagetext

To read more about the strcat command you can read Splunk's documentation here: https://docs.splunk.com/Documentation/Splunk/8.0.3/SearchReference/Strcat
You can also read our documentation on this alert action here:
https://www.groundsecurity.com/splunk-app-microsoft-teams-alert-cards/

Hope this helps - please let us know if you still have trouble getting it to work!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! 🌈 In the United States, as well as many countries around the ...

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...