All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Webhook Alert question

dpolochefm
Explorer
‎03-21-2019 07:11 AM

I tried using the slack app for sending alerts, but it is very limited in terms for what I can do. I have a webhook that I tested which sends the data in the correct format, but I am unable to get the tokens to properly populate. I know the URL below is for email notification, but the tokens appear to work in the slack app to some extent.

https://docs.splunk.com/Documentation/Splunk/latest/Alert/EmailNotificationTokens

I am following the API guide: https://api.slack.com/methods/chat.postMessage

Below is the payload in the that is going into the "attachments" argument. 

[ {"fallback": "Application Warning",
"color": "#36a64f",
"pretext": "Unhandled Promise Rejection Warning",
"title": "Splunk Alert Link",
"title_link": "$results_link$",
"fields": [
    {  "title": "Event Timestamp",
        "value": "$result.eventTime$",
        "short": false},
    {  "title": "Error",
        "value": " ```$result.errorType$```",
        "short": false},
    {  "title": "Message",
        "value": "`$result.eventDetail$`",
        "short": true}]}]

The webhook works and I can verify it manually, but instead of getting actual information from the $token$ I just get the token name.

Slack Alert

This is the search I am using:

index=SEARCH DETAIL
----
| eval eventTime=strftime(_time, "%Y/%m/%d %I:%M%P") 
| eval eventDetail="combined fields"
| table eventTime eventDetail errorType

I tested the webhook URL and it works and sends the token variable, but not the actual token content when coming from Splunk.

Reply
Get Updates on the Splunk Community!