search

splunk / slack-alerts

Splunk custom alert action for sending messages to Slack channels
https://splunkbase.splunk.com/app/2878/
Apache License 2.0
18 stars 12 forks source link

Slack alert action does not work, when "equals 0" trigger parameter is in use and "Fields" are defined in that Slack alert action. #31

Open BartekZm opened 2 years ago

BartekZm commented 2 years ago

Describe the bug Slack alert action does not work, when "equals 0" trigger parameter is in use and "Fields" are defined in that Slack alert action.

To Reproduce Steps to reproduce the behavior:

  1. Create a saved search with alert trigger "equals 0" parameter.
  2. Add Slack alert action, define any field in the "Fields" field (eg. index, sourcetype)
  3. The alert action fails to be triggered (=no message in Slack). In Splunk "sendmodalert" thread you will see the following traceback: Unexpected error:<class 'AttributeError'> Traceback (most recent call last): File "/opt/splunk/etc/apps/slack_alerts/bin/slack.py", line 117, in send_slack_message json.dumps(build_slack_message(payload)) File "/opt/splunk/etc/apps/slack_alerts/bin/slack.py", line 97, in build_slack_message params['attachments'] = [dict(fields=build_fields_attachment(payload))] File "/opt/splunk/etc/apps/slack_alerts/bin/slack.py", line 27, in build_fields_attachment available_fields = list(res.keys()) AttributeError: 'NoneType' object has no attribute 'keys' Alert action failed Alert action script completed in duration=31 ms with exit code=6

^ I struggle to format the log snippet in GH, please see the additional context for raw log snippet.

Expected behavior Slack alert should be triggered when "fields" are listed and "equals 0" is used as a trigger condition.

Screenshots

Screenshot 2022-08-24 at 12 15 17 Screenshot 2022-08-24 at 11 09 22

Splunk Environment:

Additional context Workarounds:

  1. Don't define any "Fields" in the Slack alert action, when the alert trigger condition is set to "equals 0".
  2. When you need to specify "Fields" in the Slack alert action, use any different trigger condition but the "equals 0".

08-24-2022 08:58:01.037 +0000 INFO sendmodalert [57503 AlertNotifierWorker-0] - Invoking modular alert action=slack for search="999" sid="scheduleradminsearch__999_at_1661331480_1704" in app="search" owner="admin" type="saved" 08-24-2022 08:58:01.069 +0000 INFO sendmodalert [57503 AlertNotifierWorker-0] - action=slack STDERR - Running python 3 08-24-2022 08:58:01.069 +0000 WARN sendmodalert [57503 AlertNotifierWorker-0] - action=slack STDERR - Validation warning: Parameter attachment must be ether "alert_link" or "message" 08-24-2022 08:58:01.069 +0000 INFO sendmodalert [57503 AlertNotifierWorker-0] - action=slack STDERR - Using configured webhook URL: 08-24-2022 08:58:01.069 +0000 FATAL sendmodalert [57503 AlertNotifierWorker-0] - action=slack STDERR - Unexpected error:<class 'AttributeError'> 08-24-2022 08:58:01.069 +0000 ERROR sendmodalert [57503 AlertNotifierWorker-0] - action=slack STDERR - Traceback (most recent call last): 08-24-2022 08:58:01.069 +0000 ERROR sendmodalert [57503 AlertNotifierWorker-0] - action=slack STDERR - File "/opt/splunk/etc/apps/slack_alerts/bin/slack.py", line 117, in send_slack_message 08-24-2022 08:58:01.069 +0000 ERROR sendmodalert [57503 AlertNotifierWorker-0] - action=slack STDERR - body = json.dumps(build_slack_message(payload)) 08-24-2022 08:58:01.069 +0000 ERROR sendmodalert [57503 AlertNotifierWorker-0] - action=slack STDERR - File "/opt/splunk/etc/apps/slack_alerts/bin/slack.py", line 97, in build_slack_message 08-24-2022 08:58:01.069 +0000 ERROR sendmodalert [57503 AlertNotifierWorker-0] - action=slack STDERR - params['attachments'] = [dict(fields=build_fields_attachment(payload))] 08-24-2022 08:58:01.069 +0000 ERROR sendmodalert [57503 AlertNotifierWorker-0] - action=slack STDERR - File "/opt/splunk/etc/apps/slack_alerts/bin/slack.py", line 27, in build_fields_attachment 08-24-2022 08:58:01.069 +0000 ERROR sendmodalert [57503 AlertNotifierWorker-0] - action=slack STDERR - available_fields = list(res.keys()) 08-24-2022 08:58:01.069 +0000 ERROR sendmodalert [57503 AlertNotifierWorker-0] - action=slack STDERR - AttributeError: 'NoneType' object has no attribute 'keys' 08-24-2022 08:58:01.069 +0000 FATAL sendmodalert [57503 AlertNotifierWorker-0] - action=slack STDERR - Alert action failed 08-24-2022 08:58:01.072 +0000 INFO sendmodalert [57503 AlertNotifierWorker-0] - action=slack - Alert action script completed in duration=31 ms with exit code=6 08-24-2022 08:58:01.072 +0000 WARN sendmodalert [57503 AlertNotifierWorker-0] - action=slack - Alert action script returned error code=6 08-24-2022 08:58:01.072 +0000 ERROR sendmodalert [57503 AlertNotifierWorker-0] - Error in 'sendalert' command: Alert script returned error code 6. 08-24-2022 08:58:01.072 +0000 ERROR SearchScheduler [57503 AlertNotifierWorker-0] - Error in 'sendalert' command: Alert script returned error code 6., search='sendalert slack results_file="/opt/splunk/var/run/splunk/dispatch/scheduleradminsearch999_at_1661331480_1704/results.srs.zst" results_link= 08-24-2022 08:58:01.072 +0000 INFO sendmodalert [57503 AlertNotifierWorker-0] - Invoking modular alert action=victorops for search="999" sid="scheduleradminsearch999_at_1661331480_1704" in app="search" owner="admin" type="saved"

leandropadua commented 1 year ago

we are getting spammed with errors

AttributeError: 'NoneType' object has no attribute 'keys'

Any chance this error can be fixed. There's an open PR for it. Thanks