Slack action
editSlack action
editUse the slack
action to send messages to a Slack
team’s channels or users. To send Slack messages, you need to
configure at least one Slack account in
elasticsearch.yml
.
Configuring Slack actions
editYou configure Slack actions in the actions
array. Action-specific attributes
are specified using the slack
keyword.
The following snippet shows a simple slack action definition:
Using attachments to format Slack messages
editIn addition to sending simple text-based messages, you can use the Slack attachment mechanism to send formatted messages. Watcher leverages Slack attachments to enable you to dynamically populate templated messages from the execution context payload.
The following snippet shows a standard message attachment:
"actions" : { "notify-slack" : { "throttle_period" : "5m", "slack" : { "account" : "team1", "message" : { "from" : "watcher", "to" : [ "#admins", "@chief-admin" ], "text" : "System X Monitoring", "attachments" : [ { "title" : "Errors Found", "text" : "Encountered {{ctx.payload.hits.total}} errors in the last 5 minutes (facepalm)", "color" : "danger" } ] } } } }
To define an attachment template that is dynamically populated from the payload,
you specify dynamic_attachments
in the watch action. For example, a dynamic
attachment could reference histogram buckets in the payload and build an
attachment per bucket.
In the following example, the watch input executes a search with a date histogram aggregation and the Slack action:
- Transforms the payload to a list where each item in the list holds the month, the user count for that month, and the color that represents the sentiment associated with that count (danger or bad).
- Defines an attachment template that references items in the list generated by the transform.
"input" : { "search" : { "request" : { "body" : { "aggs" : { "users_per_month" : { "date_histogram" : { "field" : "@timestamp", "interval" : "month" } } } } } } }, ... "actions" : { "notify-slack" : { "throttle_period" : "5m", "transform" : { "script" : { "source" : "['items': ctx.payload.aggregations.users_per_month.buckets.collect(bucket -> ['count': bucket.doc_count, 'name': bucket.key_as_string, 'color': bucket.doc_count < 100 ? 'danger' : 'good'])]", "lang" : "painless" } }, "slack" : { "account" : "team1", "message" : { "from" : "watcher", "to" : [ "#admins", "@chief-admin" ], "text" : "System X Monitoring", "dynamic_attachments" : { "list_path" : "ctx.payload.items" "attachment_template" : { "title" : "{{month}}", "text" : "Users Count: {{count}}", "color" : "{{color}}" } } } } } }
Slack action attributes
editName | Required | Description |
---|---|---|
|
no |
The sender name to display in the Slack message. Overrides the incoming webhook’s configured name. |
|
yes |
The channels and users you want to send the message
to. Channel names must start with |
|
no |
The icon to display in the Slack messages. Overrides the incoming webhook’s configured icon. Accepts a public URL to an image. |
|
yes |
The message content. |
|
no |
Slack message attachments. Message attachments enable you to create more richly-formatted messages. Specified array as defined in the Slack attachments documentation. |
|
no |
Slack message attachments that can be populated dynamically based on the current watch payload. For more information, see Using attachments to format Slack messages. |
|
no |
The proxy host to use (only in combination with |
|
no |
The proxy port to use (only in combination with |
Configuring Slack Accounts
editYou configure the accounts Watcher can use to communicate with Slack in the
xpack.notification.slack
namespace in elasticsearch.yml
.
You need a Slack webhook URL to configure a Slack account. To create a webhook URL, set up an an Incoming Webhook Integration through the Slack console:
- Log in to slack.com as a team administrator.
- Go to https://my.slack.com/services/new/incoming-webhook.
-
Select a default channel for the integration.
- Click Add Incoming Webhook Integration.
-
Copy the generated webhook URL so you can paste it into your Slack account configuration in
elasticsearch.yml
.
To configure a Slack account, at a minimum you need to specify the account name and webhook URL in the elasticsearch keystore (see secure settings):
bin/elasticsearch-keystore add xpack.notification.slack.account.monitoring.secure_url
You can also configure this via settings in the elasticsearch.yml
file by
removing the secure_
prefix, but using the keystore is the preferred and
secure way of doing this.
You can also specify defaults for the Slack notification attributes:
xpack.notification.slack: account: monitoring: message_defaults: from: x-pack to: notifications icon: http://example.com/images/watcher-icon.jpg attachment: fallback: "X-Pack Notification" color: "#36a64f" title: "X-Pack Notification" title_link: "https://www.elastic.co/guide/en/x-pack/current/index.html" text: "One of your watches generated this notification." mrkdwn_in: "pretext, text"
If you configure multiple Slack accounts, you either need to configure a default
account or specify which account the notification should be sent with in the
slack
action.
xpack.notification.slack: default_account: team1 account: team1: ... team2: ...