ziegfried
commented
3 years ago This is actually expected behavior. The alert action does not allow the user to supply or directly influence the raw JSON payload that is sent to the Slack API. There are also no plans to change this since it may raise some security concerns and can lead to unexpected behavior.
I'd recommend to fork/modify the alert action if this behavior is truly desired.
When the message contains JSON formatted text, instead of Slack showing formatted text it shows the JSON text. When I send the same JSON text using Postman, Slack shows formatted text.
The JSON I'm using is similar to what is here.
Expected behavior I would expect Slack to show formatted text and not the source JSON.
Splunk Environment: Using Slack Alerts 2.1.3 Splunk 8.0.4.1 Enterprise Security 6.2.0