Send Splunk Alert To A Slack Channel

Send Splunk Alert To A Slack Channel

Hello Splunkers, When we talk about Splunk alert action first thing comes in our mind is Email Alert Option. If you don’t how to setup email alerting in Splunk please click here. But we have come up with a new and interesting custom alert action. Do you know about Slack ?. Basically it is an IM software for coordinating within team members and with any members in our company. In this blog we will discuss about how to send send a customized message to a Slack channel based on a triggered alert action in Splunk.

Step-1
Download  “Slack Notification Alert” app from Splunkbase. Basically it will give us a option in our alert action section. You can download the app from the below link.

https://splunkbase.splunk.com/app/2878/

1
Step-2
After downloading you have to install it in your Splunk. Goto “Manage apps” section then select “Install app from file“. Upload the file you downloaded from the Splunk base and save it.

2
Step-3
Once it is installed, Select “Set up now“. Here you have to set up for Slack Alert Action
Here,  Sender Name and Sender icon that you will give, it will be reflected in your Slack channel

3
And to get the Webhook URL,
First you have to open a slack account (If you don’t have any existing account) and after that open Apps section of Slack and search for “incoming webhook

You can also know about :  Sending Data from Database To Splunk Using DB Connect ( DBX - Part 2)

4
Step-4
Open “Incoming Webhook” . After that you will get an option to configure it.

4
Here choose a channel where you want to post your Splunk Alerts  . In my case I have selected a channel called “general” and then “Add Incoming Web-Hooks integration

5
After that you will get Webhook URL, copy it and save setting.

6
Step- 5
Now you got the Webhook URL , go back to your ” Set up slack alert action” section in Splunk and paste it there then save it.

6
Now we have successfully set up slack alert action.
Step-6
Now it’s time to create an alert and checking it on slack channel.
For that I am creating sample query

| makeresults 
| eval a="200,GET/300,POST/400,DELETE" , a=split(a,"/") 
| mvexpand a 
| table a 
| makemv delim="," a
| eval status=mvindex(a,0) , method=mvindex(a,1) 
| fields - a

7

Now choose “Save As” and then select “Alert” option.
Now to Save as Alert, fill the form with proper details.

8

In the “Add Actions” section you will be able to see a new option coming like “Slack”.

10

Click on it an put a channel name it should be an existing Slack channel name . After that give some message related to the alert which will be shown in you slack and save it.

You can also know about :  Trigger an alert For ANY Unique/NEW Incoming events or results

11
Now we have successfully created our alert. To check it open your slack channel.

sl
Here we are getting alert message every two minutes ( as per our CRON expression).In this way you can send a Splunk alert to A Slack Channel.

Happy Splunking 🙂

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.