Slack and Kibana_link

[remotesyssupport]

We predominantly use slack as our alert notifications. I wanted to know if it is possible to include the kibana4 dashboard link in the slack alerts

My check with including it in alert_text_args (as shown below) doesnt seem to work. Although if I use alert_text_type as default, I can see the kibana_link in the fields of the slack notification

# Kibana Link
use_kibana4_dashboard: "https://kibana.internal/app/kibana#/dashboard/applog"
kibana4_start_timedelta:
  minutes: 10
kibana4_end_timedelta:
  minutes: 10

# Alert Config
alert:
- "slack"

alert_text_type: exclude_fields
alert_text_args:
- kibana_link

[Qmando]

You have to set alert_text.

alert_text: {0} is the kibana link

[remotesyssupport]

Thanks @Qmando. That does add the Kibana Link to the notification.

But for some reason the Kibana Link that appears on Slack is not clickable (usually URL links are parsed by Slack as clickable). Interesting if I copy the link from the notification and repaste it.. it appears to be clickable. Any thoughts on this?

[Qmando]

Try <{0}|Link to Kibana> from https://twitter.com/slackapi/status/579771083181699073

[remotesyssupport]

@Qmando Nope : ( It does exactly as is stated in the latest reply to the comment by Malone Hedges (on that tweet)

[remotesyssupport]

@Qmando It shows up like this

[remotesyssupport]

@Qmando For now (till this issue is found) got a duck-tape solution, as we want the nice formatted message sent <At least xxx event occurred ...> along with the links. Combined the slack and command alerts. Command sends the kibana link using Slacktee.

# Alert Config
alert:
- "slack"
- "command"

alert_text_type: exclude_fields

command: ["/opt/elastalert/bin/send_via_slacktee", "<%(kibana_link)s| App Errors Kibana Link>"]

Output:

Question: Is Number of events detected, StartTime and EndTime available as variable like kibana_link? If yes, we can then only use Command Alert only.

[schickling]

@Qmando could you please reopen this issue as the formatting doesn't work as expected?

[schickling]

Thanks @Qmando. Is there an easy fix for this? Would be super awesome if this would work. :shipit:

[brdaugherty]

Including a clickable URL to a kibana dashboard is working for me in v0.0.95.

Thought I'd share details as it took a bit of poking around source code to get the subject, body and attachment configured and formatted nicely. When I tried following this thread and elastalert documentation I was unable to get the kibana URL to be transformed into a clickable link... it's not intuitive. Basically, I believe the attachment body aka _alerttext is not parsed by the slack servers but interpreted literally... so you put kibana_link in the subject.

name: ssh login details

# bold subject with clickable link to kibana
alert_subject: "SSH login by {0} to {1} | <{2}|Dashboard>"
alert_subject_args:
  - username
  - host
  - kibana_link

# alert name and attachment body
alert_text_type: alert_text_only
alert_text: 'role: {0} host: {1}'
alert_text_args:
  - role
  - host

use_kibana4_dashboard: "http://kibana.mydomain.com/app/kibana#/dashboard/ssh-events"

slack_emoji_override: ':lock:'
slack_msg_color: 'good'
slack_channel_override: '#infosec'

alert:
  - "slack"

Produces this

[abhsrivastava]

I was facing the same issue. I found that for slack integration the hyperlinks work only in the subject. So this works

# bold subject with clickable link to kibana
alert_subject: "SSH login by {0} to {1} | <{2}|Dashboard>"
alert_subject_args:
  - username
  - host
  - kibana_link

But this will result in URLs in plain text

alert_text: "SSH login by {0} to {1} | <{2}|Dashboard>"
alert_text_args:
  - username
  - host
  - kibana_link

In case of alert_text, the kibana link will appear as text.

[krisan]

@abhsrivastava: To enable clickable links in slack alerts - add line with slack_parse_override: full (tested in support_es5 branch)

[senj]

Is it possible to format text in the alert_text like this or ~that~? See here Tried with slack_parse_override but didn't work (I'm not in the support_es5 branch)

[ardentisys-rajshekhar]

report attachment would be great feature. is it possible to add? like integrating the phantomjs based web to pdf and attaching the same to the email alert generated.

[0rax]

This issue seems to still be present and comes from the escaping of <,>and &. I've seen the documentation and it seems weird that those character needs to be escaped as links are not working when those are escaped but are otherwise. The needs for them to be escaped seems to come from https://api.slack.com/methods/chat.postMessage#formatting which does not support application/json encoding. It seems that it only applies to url-encoded request.

Also the parse field in the payload is not well documented in term of incoming webhooks as it throws and error in the message builder but does change some stuff when used. See the following screenshot of this message sent with parse set to none and full.

Test of the `parse` field with no escaped character (click to show screenshot)

Following test for escaped vs unescaped character and `parse` field for escaped char (click to show screenshot)

I would be nice to b able to use the whole subset of markdown available to us when doing custom text for Slack (especially when we can get a Kibana link in the alert body in a clickable and pretty form) and the fix would be as simple as removing the following tree lines:

diff --git a/elastalert/alerts.py b/elastalert/alerts.py
index 7d835ac..ade298e 100644
--- a/elastalert/alerts.py
+++ b/elastalert/alerts.py
@@ -988,9 +988,6 @@ class SlackAlerter(Alerter):
     def format_body(self, body):
         # https://api.slack.com/docs/formatting
         body = body.encode('UTF-8')
-        body = body.replace('&', '&')
-        body = body.replace('<', '&lt;')
-        body = body.replace('>', '&gt;')
         return body

     def alert(self, matches):