Log Management
Alerting
Destinations
Slack

Slack

Deliver rich Slack notifications with channel overrides, emoji, and attachment blocks. Add slack under alert: with webhook or API-style settings per your workspace policy.

Start with Options when wiring credentials and endpoints—Full working example shows how they fit in a complete rule.

Options

Keys below match the ElastAlert 2 alerter. Shared rule fields such as alert_subject apply as described in Subject & body. Example fragments from the ElastAlert 2 reference appear indented under the option they illustrate (add your own name, type, index, and filter to make a full rule).

Required

  • slack_webhook_url — The webhook URL generated by your Slack App. Follow the Slack incoming webhook quickstart (opens in a new tab) to create a new webhook. Note that the advanced, interactive Slack formatting options, using the Block Kit components, are not supported. Legacy Incoming Webhooks: If you need to use the deprecated, legacy incoming webhooks in Slack then you can follow this next set of instructions to obtain the webhook URL.

  • slack_webhook_url — The webhook URL that includes your auth data and the ID of the channel (room) you want to post to. Go to the Incoming Webhooks section in your Slack workspace (https://YOURWORKSPACE.slack.com/services/new/incoming-webhook), choose the channel, click Add Incoming Webhooks Integration, and copy the resulting URL. You can use a list of URLs to send to multiple channels.

Optional

  • slack_username_override — By default Slack will use your username when posting to the channel. Use this option to change it (free text).

  • slack_channel_override — Incoming webhooks have a default channel, but it can be overridden. A public channel can be specified "#other-channel", and a Direct Message with "@username".

  • slack_emoji_override — By default ElastAlert 2 will use the :ghost: emoji when posting to the channel. You can use a different emoji per ElastAlert 2 rule. Any Apple emoji can be used; see Emojipedia (Apple) (opens in a new tab) for names. If slack_icon_url_override parameter is provided, emoji is ignored.

  • slack_icon_url_override — By default ElastAlert 2 will use the :ghost: emoji when posting to the channel. You can provide icon_url to use custom image. Provide absolute address of the pciture.

  • slack_msg_color — By default the alert will be posted with the 'danger' color. You can also use 'good' or 'warning' colors.

  • slack_parse_override — By default the notification message is escaped 'none'. You can also use 'full'.

  • slack_text_string — Notification message you want to add.

  • slack_proxy — By default ElastAlert 2 will not use a network proxy to send notifications to Slack. Set this option using hostname:port if you need to use a proxy. only supports https.

  • slack_alert_fields — You can add additional fields to your slack alerts using this field. Specify the title using title and a value for the field using value. Additionally you can specify whether or not this field should be a short field using short: true.

Example slack_alert_fields

 slack_alert_fields:
   - title: Host
     value: monitor.host
     short: true
   - title: Status
     value: monitor.status
     short: true
   - title: Zone
     value: beat.name
     short: true

  • slack_ignore_ssl_errors — By default ElastAlert 2 will verify SSL certificate. Set this option to True if you want to ignore SSL errors.

  • slack_title — Sets a title for the message, this shows up as a blue text at the start of the message

  • slack_title_link — You can add a link in your Slack notification by setting this to a valid URL. Requires slack_title to be set.

  • slack_timeout — You can specify a timeout value, in seconds, for making communicating with Slack. The default is 10. If a timeout occurs, the alert will be retried next time ElastAlert 2 cycles.

  • slack_attach_kibana_discover_url — Enables the attachment of the kibana_discover_url to the slack notification. The config generate_kibana_discover_url must also be True in order to generate the url. Defaults to False.

Example slack_attach_kibana_discover_url, slack_kibana_discover_color, slack_kibana_discover_title

 # (Required)
 generate_kibana_discover_url: True
 kibana_discover_app_url: "http://localhost:5601/app/discover#/"
 kibana_discover_index_pattern_id: "4babf380-c3b1-11eb-b616-1b59c2feec54"
 kibana_discover_version: "7.15"
 
 # (Optional)
 kibana_discover_from_timedelta:
   minutes: 10
 kibana_discover_to_timedelta:
   minutes: 10
 
 # (Required)
 slack_attach_kibana_discover_url: True
 
 # (Optional)
 slack_kibana_discover_color: "#ec4b98"
 slack_kibana_discover_title: "Discover in Kibana"

  • slack_kibana_discover_color — The color of the Kibana Discover url attachment. Defaults to #ec4b98.

  • slack_kibana_discover_title — The title of the Kibana Discover url attachment. Defaults to Discover in Kibana.

  • slack_attach_opensearch_discover_url — Enables the attachment of the opensearch_discover_url to the slack notification. The config generate_opensearch_discover_url must also be True in order to generate the url. Defaults to False.

Example slack_attach_opensearch_discover_url, slack_opensearch_discover_color, slack_opensearch_discover_title

 # (Required)
 generate_opensearch_discover_url: True
 opensearch_discover_app_url: "http://localhost:5601/app/discover#/"
 opensearch_discover_index_pattern_id: "4babf380-c3b1-11eb-b616-1b59c2feec54"
 opensearch_discover_version: "7.15"
 
 # (Optional)
 opensearch_discover_from_timedelta:
   minutes: 10
 opensearch_discover_to_timedelta:
   minutes: 10
 
 # (Required)
 slack_attach_opensearch_discover_url: True
 
 # (Optional)
 slack_opensearch_discover_color: "#ec4b98"
 slack_opensearch_discover_title: "Discover in opensearch"

  • slack_opensearch_discover_color — The color of the Opensearch Discover url attachment. Defaults to #ec4b98.

  • slack_opensearch_discover_title — The title of the Opensearch Discover url attachment. Defaults to Discover in Opensearch.

  • slack_ca_certs — Set this option to True or a path to a CA cert bundle or directory (eg: /etc/ssl/certs/ca-certificates.crt) to validate the SSL certificate.

  • slack_footer — Add a static footer text for alert. Defaults to "".

  • slack_footer_icon — A Public Url for a footer icon. Defaults to "".

  • slack_image_url — An optional URL to an image file (GIF, JPEG, PNG, BMP, or SVG). Defaults to "".

  • slack_thumb_url — An optional URL to an image file (GIF, JPEG, PNG, BMP, or SVG) that is displayed as thumbnail. Defaults to "".

  • slack_author_name — An optional name used to identify the author. Defaults to "".

  • slack_author_link — An optional URL used to hyperlink the author_name. Defaults to "".

  • slack_author_icon — An optional URL used to display a 16x16 pixel icon beside the author_name. Defaults to "".

  • slack_msg_pretext — You can set the message attachment pretext using this option. Defaults to "".

  • slack_attach_jira_ticket_url — Add url to the jira ticket created. Only works if the Jira alert runs before Slack alert. Set the field to True in order to generate the url. Defaults to False.

  • slack_jira_ticket_color — The color of the Jira Ticket url attachment. Defaults to #ec4b98.

  • slack_jira_ticket_title — The title of the Jira Ticket url attachment. Defaults to Jira Ticket.

Full working example

name: Example alert for Slack
type: any
index: "*-*"
filter:
  - query:
      query_string:
        query: "level:error OR log.level:error"
alert:
  - "slack"
slack_webhook_url: "https://hooks.slack.com/services/XXX/YYY/ZZZ"

See also Subject & body.

ServiceNowSMSEagle