Skip to content

Latest commit

 

History

History
100 lines (60 loc) · 3.88 KB

README.md

File metadata and controls

100 lines (60 loc) · 3.88 KB
Raw

System requirements

  • Splunk version 6.3 or greater
  • Windows, Linux or Mac OS operating system

Installation

App installation requires admin privileges.

  • Navigate to "Manage apps" and click "Install app from file"
  • Upload the app bundle

Configuration

In order to setup the app, navigate to "Settings" -> "Alert actions". Click on "Setup Slack Alerts".

On the setup screen, you'll need to supply a Slack App OAuth token. To set up a new Slack App for your workspace, follow the instructions on https://api.slack.com/apps.

Once you have the Slack App created, you must give the app permission to the chat:write and chat:write.public OAuth scopes in your Slack workspace. These scopes allow your app to write messages to every public channel and user in your workspace. The app will also be able to write to any private channel that it is added to.

Deprecated configuration option

This alert action was originally built using the Slack Webhook URL functionality. Slack has recently deprecated this feature in favor of the Slack App method above. Webhook URL support may be removed in a future release of Slack. For more information see https://slack.com/apps/A0F7XDUAZ-incoming-webhooks

On the setup screen you'll want to supply a Webhook URL. You can obtain this URL by configuring a custom integration for you Slack workspace.

Troubleshooting

Known issue with Setup

Setup page shows "I am Legend" setup_stub

An issue after upgrading the Slack Alerts app can cause an invalid redirect from the alert actions listing page to the setup page. Go to "Manage Apps" and click on "Set up" instead of using the Alert actions listing.

Alternatively - to fix it - you can remove the is_configured flag from $SPLUNK_HOME/etc/apps/slack_alerts/local/app.conf and restart Splunk.

Logs

In order to investigate problems with the Slack alert action, you can check the logs of the alert action.

  • Navigate to "Settings" -> "Alert actions"
  • Click on "View log events" for the Slack alert action

You can also increase the verbosity of logs generated by the alert action by adjusting the

  • Navigate to "Settings" -> "Server settings" -> "Server logging"
  • Search for the log channel "sendmodalert"
  • Select logging level "DEBUG"

NOTE: This will increase cause detailed logs to be produced for all alert actions and might have an impact on system performance. It is not recommended to do this on a production system.

Manually trigger the alert action

You can manually trigger the slack alert action if you want to verify the configuration and/or preview different parameter combinations.

For example:

| sendalert slack param.channel="#mychannel" param.message="Lorem ipsum"

Enter a simlar SPL query into the search bar in the search interface of Splunk to manually send a message.

Error Codes

In case of an error when manually triggering the Slack alert action, you'll notice an error code being returned (eg. Alert script returned error code 6.)

Here are the possible error codes returned by the slack alert action:

  • Error Code 2: Validation Failed

    This error code indications that the parameters handed to the alert action were invalid. Check the configuration.

  • Error Code 3: Channel not found

    This error code is returned if the given Slack channel was not found

  • Error Code 4: Forbidden

    Slack indicates that sending the message to the given channel is not allowed. Contact your Slack workspace administrator to find out about possible restrictions.

  • Error Code 5: HTTP failure

    This error code indicates a problem with executing the HTTP request to the configured webhook URL. Possible reasons include network issues, proxy server issues See logs for details.

  • Error Code 6: Unexpected error

    An unexpected error occurred while attempting to send the slack message. See logs for details.