slack-alerts icon indicating copy to clipboard operation
slack-alerts copied to clipboard

Published 20 hours ago verified publisher icon splunk

Slack keyword alerts do not alert properly

Open eberleant opened this issue 1 year ago • 0 comments

Describe the bug Slack offers keyword alerts for getting notifications when a specific keyword or phrase is mentioned. This means regardless of the channel's notification settings, if the keyword is mentioned, you'll get a notification (on both desktop and mobile) and a red badge next to the channel name (as if you had been @'ed). However, when using either incoming webhooks or Slack apps, keyword alerts do not work with the Splunk Slack Alerts app.

To Reproduce Steps to reproduce the behavior:

  1. In Slack, go to the server's notification preferences. Under "My keywords", enter "Test Alert". Then go to a channel and set the channel's notification preferences to "Mentions".
  2. In Splunk, create an alert that will always trigger and add the Slack action to it. Set the channel to be the channel that you set notifications to "Mentions". Set the message to "Test Alert".
  3. Wait for the Splunk/Slack alert to trigger.
  4. Result: The message is sent, but you don't get a notification or badge.

Expected behavior You should get a notification and badge.

Splunk Environment:

  • Splunk Version: 9.0.4
  • OS: MacOS
  • Cloud: no

Client Environment: (if it's a UI issue)

  • Browser Type: Chrome
  • OS: MacOS

Additional context It doesn't work because the icon_url and username fields are specified in the request JSON. Example:

{
    "channel": "XXXXX",
    "icon_url": "https://s3-us-west-2.amazonaws.com/slack-files2/bot_icons/2023-03-11/4935550179346_48.png",
    "username": "Splunk",
    "text": "Test Alert"
}

Even when you clear out those fields in the Slack Alerts setup page, the request JSON sets an empty string for those fields:

{
    "channel": "XXXXX",
    "icon_url": "",
    "username": "",
    "text": "Test Alert"
}

In order for keyword alerts to work, icon_url and username can't be present in the request JSON. They can instead be configured on the Slack app itself (from https://api.slack.com/apps).

This could be fixed by checking whether the fields are configured in the Slack Alerts setup in Splunk, and if not, don't add them to the request JSON.

eberleant avatar Apr 05 '23 02:04 eberleant