- X-Pack Reference for 6.0-6.2 and 5.x:
- Introduction
- Setting Up X-Pack
- Breaking Changes
- X-Pack APIs
- Graphing Connections in Your Data
- Profiling your Queries and Aggregations
- Reporting from Kibana
- Securing the Elastic Stack
- Getting Started with Security
- How Security Works
- Setting Up User Authentication
- Configuring SAML Single-Sign-On on the Elastic Stack
- Configuring Role-based Access Control
- Auditing Security Events
- Encrypting Communications
- Restricting Connections with IP Filtering
- Cross Cluster Search, Tribe, Clients and Integrations
- Reference
- Monitoring the Elastic Stack
- Alerting on Cluster and Index Events
- Machine Learning in the Elastic Stack
- Troubleshooting
- Getting Help
- X-Pack security
- Can’t log in after upgrading to 6.2.4
- Some settings are not returned via the nodes settings API
- Authorization exceptions
- Users command fails due to extra arguments
- Users are frequently locked out of Active Directory
- Certificate verification fails for curl on Mac
- SSLHandshakeException causes connections to fail
- Common SSL/TLS exceptions
- Internal Server Error in Kibana
- Setup-passwords command fails due to connection failure
- X-Pack Watcher
- X-Pack monitoring
- X-Pack machine learning
- Limitations
- License Management
- Release Notes
WARNING: Version 6.2 of the Elastic Stack has passed its EOL date.
This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.
Slack Action
editSlack Action
editUse the slack
action to send messages to a Slack
team’s channels or users. To send Slack messages, you need to
configure at least one Slack account in
elasticsearch.yml
.
Configuring Slack Actions
editYou configure Slack actions in the actions
array. Action-specific attributes
are specified using the slack
keyword.
The following snippet shows a simple slack action definition:
Using Attachments to Format Slack Messages
editIn addition to sending simple text-based messages, you can use the Slack attachment mechanism to send formatted messages. Watcher leverages Slack attachments to enable you to dynamically populate templated messages from the execution context payload.
The following snippet shows a standard message attachment:
"actions" : { "notify-slack" : { "throttle_period" : "5m", "slack" : { "account" : "team1", "message" : { "from" : "watcher", "to" : [ "#admins", "@chief-admin" ], "text" : "System X Monitoring", "attachments" : [ { "title" : "Errors Found", "text" : "Encountered {{ctx.payload.hits.total}} errors in the last 5 minutes (facepalm)", "color" : "danger" } ] } } } }
To define an attachment template that is dynamically populated from the payload,
you specify dynamic_attachments
in the watch action. For example, a dynamic
attachment could reference histogram buckets in the payload and build an
attachment per bucket.
In the following example, the watch input executes a search with a date histogram aggregation and the Slack action:
- Transforms the payload to a list where each item in the list holds the month, the user count for that month, and the color that represents the sentiment associated with that count (danger or bad).
- Defines an attachment template that references items in the list generated by the transform.
"input" : { "search" : { "request" : { "body" : { "aggs" : { "users_per_month" : { "date_histogram" : { "field" : "@timestamp", "interval" : "month" } } } } } } }, ... "actions" : { "notify-slack" : { "throttle_period" : "5m", "transform" : { "script" : { "source" : "['items': ctx.payload.aggregations.users_per_month.buckets.collect(bucket -> ['count': bucket.doc_count, 'name': bucket.key_as_string, 'color': bucket.doc_count < 100 ? 'danger' : 'good'])]", "lang" : "painless" } }, "slack" : { "account" : "team1", "message" : { "from" : "watcher", "to" : [ "#admins", "@chief-admin" ], "text" : "System X Monitoring", "dynamic_attachments" : { "list_path" : "ctx.payload.items" "attachment_template" : { "title" : "{{month}}", "text" : "Users Count: {{count}}", "color" : "{{color}}" } } } } } }
Slack Action Attributes
editName | Required | Description |
---|---|---|
|
no |
The sender name to display in the Slack message. Overrides the incoming webhook’s configured name. |
|
yes |
The channels and users you want to send the message
to. Channel names must start with |
|
no |
The icon to display in the Slack messages. Overrides the incoming webhook’s configured icon. Accepts a public URL to an image. |
|
yes |
The message content. |
|
no |
Slack message attachments. Message attachments enable you to create more richly-formatted messages. Specified array as defined in the Slack attachments documentation. |
|
no |
Slack message attachments that can be populated dynamically based on the current watch payload. For more information, see Using Attachments to Format Slack Messages. |
|
no |
The proxy host to use (only in combination with |
|
no |
The proxy port to use (only in combination with |
Configuring Slack Accounts
editYou configure the accounts Watcher can use to communicate with Slack in the
xpack.notification.slack
namespace in elasticsearch.yml
.
You need a Slack webhook URL to configure a Slack account. To create a webhook URL, set up an an Incoming Webhook Integration through the Slack console:
- Log in to slack.com as a team administrator.
- Go to https://my.slack.com/services/new/incoming-webhook.
-
Select a default channel for the integration.
- Click Add Incoming Webhook Integration.
-
Copy the generated webhook URL so you can paste it into your Slack account configuration in
elasticsearch.yml
.
To configure a Slack account, at a minimum you need to specify the account name and webhook URL:
xpack.notification.slack: account: monitoring: url: https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX
You can also specify defaults for the Slack notification attributes:
xpack.notification.slack: account: monitoring: url: https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX message_defaults: from: x-pack to: notifications icon: http://example.com/images/watcher-icon.jpg attachment: fallback: "X-Pack Notification" color: "#36a64f" title: "X-Pack Notification" title_link: "https://www.elastic.co/guide/en/x-pack/current/index.html" text: "One of your watches generated this notification." mrkdwn_in: "pretext, text"
If you configure multiple Slack accounts, you either need to configure a default account or specify which account the notification should be sent with in the slack action.
xpack.notification.slack: default_account: team1 account: team1: ... team2: ...
On this page