OpenURL dynamic input fields resulting from the search

guilhemmarchand / TA-ms-teams-alert-action

This application provides alert actions for Microsoft Teams messages publication to allows advanced messages publication from Splunk.

7 stars 5 forks source link

OpenURL dynamic input fields resulting from the search #33

Closed Hollerweger closed 3 years ago

Hollerweger commented 3 years ago

Based on documentation it should be possible to have dynamic input in the OpenURL form the search:

Potential Action Name and Potential Action URL These two items define the action link button and target that can automatically be added when the message is published in Microsoft Teams.

For this option to be activated, both of these items need to be configured, note that the URL can accept dynamic input fields resulting from the search.

For me it is not clear how to include them. Eg.:

Message field list
- _time,stack,level,correlation-id
OpenURL Potential Action URL
- https://splunkcloud.com/app/test/find-dashboard?correlation-id=%correlation-id%

Where %correlation-id% should be replaced with the actual correlation-id.

guilhemmarchand commented 3 years ago

Hi @Hollerweger

Any of the options from the alert action follow the standard Splunk alert action feature, which means the values can be dynamically replaced using token resulting from the search, see:

https://docs.splunk.com/Documentation/Splunk/8.1.0/Alert/EmailNotificationTokens

In short, you can for instance define the URL target within your SPL code and recycle this value dynamically, for the example purpose:

| makeresults | eval dashboard="mydashboard", message="this is a test", openurl_target="https://mysplunk.com/" . dashboard

Then you would refer to the URL target in the alert action by:

$result.openurl_target$

Hope this makses sense and I properly understood your question.

Guilhem

Hollerweger commented 3 years ago

Thanks $result.openurl_target$ helped. Was not sure how i can reference a field. Is the "View results in Splunk" link that can be seen in e-mails directly available to reference?

guilhemmarchand commented 3 years ago

@Hollerweger Yes all tokens you can see in the Email alert action documentation are available to any other alert action too. However I'd suggest to pay attention to complex links with long list to token susbsitions, I've see MS Teams not being happy with that and ignoring it or not behaving as expected. Try to keep URL simple enough (but the result link should be refereing to an SID which would be fine)