Webhook Connection for Slack
You can send an alert from Sumo Logic as an HTTP POST request to a Slack channel. Learn more about Slack requirements for Webhooks in their API Help.
Webhook connections rely on HTTP endpoints that tell Sumo Logic where to send data. You can set up any number of connections.
Once you set up the webhook connection, you'll have the option to use it in a Scheduled Search or Monitor.
Configure a Webhook connection for Slack
You need the Manage connections role capability to create webhook connections.
- Classic UI. In the main Sumo Logic menu, select Manage Data > Monitoring > Connections.
New UI. In the top menu select Configuration, and then under Monitoring select Connections. You can also click the Go To... menu at the top of the screen and select Connections. - On the Connections page click Add.
- Click Slack.
- In the Create Connection dialog, enter the Name of the Connection.
- (Optional) Enter a Description for the Connection.
- Enter the URL for the endpoint. See Slack API Help for more information.
- (Optional) Custom Headers, enter up to five comma separated key-value pairs.
- Under Alert Payload, which allows you to customize how the alert notification look in Slack, enter a JSON object in the format required by Slack. For details on variables that can be used as parameters within your JSON object, see Webhook Payload Variables.
- Under Recovery Payload, which allows you to customize how the recovery notification look in Slack, enter a JSON object in the format required by Slack.
- Click Save.
Details on how to format your payload message are available in Slack's documentation, Basic message formatting.
Slack offers a Message Builder where you can build and test your JSON payload.
Examples
These examples are provided as a reference on Slack's supported Webhook payloads. Refer to Slack for further details on what their service supports and how to build payloads.
You can use blocks
as an alternative to attachments
. However, our default payload still uses attachments
.
Send Scheduled Search results
Here is an example JSON payload to send most of the available Webhook variables including ResultsJson
.
{
"text": "Sumo Logic Alert: *{{Name}}*",
"attachments": [{
"fields": [{
"title": "Description",
"value": "{{Description}}"
},
{
"title": "Query",
"value": "<{{QueryUrl}}|{{Query}}>"
},
{
"title": "Time Range",
"value": "{{TimeRange}}"
},
{
"title": "FieldName",
"value": "{{ResultsJson.fieldname}}"
},
{
"title": "Results",
"value": "{{ResultsJson}}"
}
],
"mrkdwn_in": ["text", "pretext"],
"color": "#29A1E6"
}]
}
Post to Slack with CURL
Assume that you use the following CURL command to post to Slack.
curl -X POST --data-urlencode 'payload={"channel": "#mychannel", "username": "webhookuser", "text": "This is posted to #mychannel and comes from a bot named webhookbot.", "icon_emoji": ":ghost:"}' https://hooks.slack.com/services/A12...AqlwV1fJ0oiGpk
The underlined portion is the token that is needed for the Slack configuration. Variables must follow JSON Object format. Here is an example JSON payload send Sumo Logic variables with Slack's text parameter:
{
"text": "{{Name}} ran over {{TriggerTimeRange}} at {{TriggerTime}}",
"username": "Sumo Logic Alert"
}
Here is an example JSON payload using Slack's attachments parameter:
{
"attachments": [
{
"pretext": "Sumo Logic Alert: *{{Name}}*",
"fields": [
{
"title": "Description",
"value": "{{Description}}"
},
{
"title": "Query",
"value": "<{{QueryUrl}}|{{Query}}>"
},
{
"title": "Time Range",
"value": "{{TriggerTimeRange}}"
}
],
"mrkdwn_in": ["text", "pretext"],
"color": "#29A1E6"
}
]
}
Create an alert
Once you set up the webhook connection, you'll have the option to use it in a Scheduled Search or Monitor.