All Apps and Add-ons

Have you ever made an integration splunk-slack?

DiegoAlba
Explorer

I'm currently indexing events from a slack team, i am indexing data from differents channels... But not all channels, I saw ir the channels that i want to Index are private on slack, but they ate not private. I am indexing from 375 channels but not from the one that i want. I guess that this is a slack restriction... Can someone oficina you help this soul?

joseft
Explorer

The Splunk account needs to be the Super (World?) admin(Highest level) otherwise it can only read its own messages. Alternatively, it can be a member of a group. A bit of a pain really.

0 Karma

Roy_9
Motivator

@joseft I made this integration with admin level but I am not seeing any messages from Slack public channels to splunk

0 Karma

joseft
Explorer

Start small, send a message from Slack to the Splunk user. The Slack permissions are a bit of a pig. I believe there was a call back that you had to do the first time - sort of a 2 step authentication.

Start by taking Splunk out of the equation and use postman to test it (It has a faster turn around). Its been a while but I think that the Slack was more flexible if done as a REST API

 

0 Karma

joseft
Explorer

The documentation states that you need the following scopes:
admin
channel.history

In fact you also need:
channels:read
users:read
team:read

To test what is going on, you need postman (The app error messages are as good as the documentation) Test the api calls listed in slack_messages.py and slack_logins.py (look for api_call) . Then get the examples from https://api.slack.com/methods and your are set.

"Other that that Mrs. Lincoln, how did you enjoy the play"

Roy_9
Motivator

Hi @joseft,

i have created the slack custom app and gave the scope channels:history and using the slack app for splunk add-on, i installed it on SH and configured the data input slack:messages but i am not seeing any events from slack. while i creating the input in splunk, i gave the OAuth token, index, sourcetype and initial days to load the data.

Can you please help me out on this, if anything else needs to be configured.

 

Thanks

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...