I tried using the slack app for sending alerts, but it is very limited in terms for what I can do. I have a webhook that I tested which sends the data in the correct format, but I am unable to get the tokens to properly populate. I know the URL below is for email notification, but the tokens appear to work in the slack app to some extent.
https://docs.splunk.com/Documentation/Splunk/latest/Alert/EmailNotificationTokens
I am following the API guide: https://api.slack.com/methods/chat.postMessage
Below is the payload in the that is going into the "attachments" argument.
[ {"fallback": "Application Warning",
"color": "#36a64f",
"pretext": "Unhandled Promise Rejection Warning",
"title": "Splunk Alert Link",
"title_link": "$results_link$",
"fields": [
{ "title": "Event Timestamp",
"value": "$result.eventTime$",
"short": false},
{ "title": "Error",
"value": " ```$result.errorType$```",
"short": false},
{ "title": "Message",
"value": "`$result.eventDetail$`",
"short": true}]}]
The webhook works and I can verify it manually, but instead of getting actual information from the $token$ I just get the token name.
This is the search I am using:
index=SEARCH DETAIL
----
| eval eventTime=strftime(_time, "%Y/%m/%d %I:%M%P")
| eval eventDetail="combined fields"
| table eventTime eventDetail errorType
I tested the webhook URL and it works and sends the token variable, but not the actual token content when coming from Splunk.
... View more