Skip to main content
Sumo Logic

Webhook Connection for Slack

You can send an alert from Sumo Logic as a post to a Slack channel:

  1. Configure a Webhook Connection in Sumo Logic. These are HTTP endpoints that tell Sumo Logic where to send data. You can setup any number of Connections, depending on your organization's needs.
  2. Configure a Scheduled Search in order to create the alert. 

Learn more about Slack's requirements for Webhooks in their API Help.

Configure a Webhook Connection for Slack

  1. Go to Manage > Connections.
  2. On the Connections page click Add.
  3. Click Slack.
  4. In the Create Connection dialog, enter the Name of the Connection.
  5. Optional: Enter a Description for the Connection.
  6. Enter the URL for the endpoint. (Check Slack API Help for more information.)
  7. Optional: Enter an Authorization Header, which may include an authorization token.
  8. Under Payload, enter a JSON object in the format required by Slack. For details on variables that can be used as parameters within your JSON object, see Webhook Payload Variables
  9. Click Save.

Examples

Assume that you use the following CURL command to post to Slack.

curl -X POST --data-urlencode 'payload={"channel": "#mychannel", "username": "webhookuser", "text": "This is posted to #mychannel and comes from a bot named webhookbot.", "icon_emoji": ":ghost:"}' https://hooks.slack.com/services/A12BC34DEF/B0C2NAK4N/fvuqhbWiHjAqlwV1fJ0oiGpk

The underlined portion is the token that is needed for the Slack configuration. Variables must follow JSON Object format. 

{
"text": "$SearchName ran over $TimeRange at $FireTime",
"token": "A12BC34DEF",
"channel": "#mychannel",
"username": "webhookuser"
}

The following example uses a rawResultsJSON payload.

{  
   "token":"A12BC34DEF",
   "channel":"#mychannel",
   "username":"webhookuser",
   "attachments":[  
      {  
         "pretext":"Sumo Logic Alert: *$SearchName*",
         "fields":[  
            {  
               "title":"Description",
               "value":"$SearchDescription"
            },
            {  
               "title":"Query",
               "value":"<$SearchQueryUrl|$SearchQuery>"
            },
            {  
               "title":"Time Range",
               "value":"$TimeRange"
            },
            {  
               "title":"Num Results",
               "value":"$NumRawResults"
            },
            {  
               "title":"Raw Results",
               "value":"$RawResultsJson"
            },
            {  
               "title":"Agg Results",
               "value":"$AggregateResultsJson"
            }
         ],
         "mrkdwn_in":[  
            "text",
            "pretext"
         ]
      }
   ]
}

Create a Scheduled Search

Next, create a Scheduled Search to send the alert as a post to a Slack channel. 

You can create a brand new search, or you can base a search on an existing saved or scheduled search. If you'd like to use an existing search, save the query as a new search in order not to override the search's current schedule.

For instructions, see Scheduled Searches for Webhook Connections.