In the current release, global settings (default URL and default image link) are not being taking in consideration properly.

Only on a per alert basis does the addon take it in consideration correctly.

Easy fix on the logic code.

By Default Message fields list are sorted in alphabetical order in message card. It would nice if we can control the order of fields displayed in card. for example use the same order as mentioned in “Message fields list”.
Below is screenshot of card with fields sorted in alphabetical order.

Hi there,

It seems you've left server.conf in a temp folder during UCC migration:
https://github.com/guilhemmarchand/TA-ms-teams-alert-action/blob/master/temp/server.conf

This causes the app's configuration to not be replicated in a search head cluster anymore.

From splunkd.log
03-02-2022 10:23:44.314 +0800 ERROR AdminManagerExternal - Stack trace from python handler:\nTraceback (most recent call last):\n
File "D:\Program Files\Splunk\Python-3.7\lib\site-packages\splunk\admin.py", line 108, in init_persistent\n
hand = handler(mode, ctxInfo, data)\n
File "D:\Program Files\Splunk\etc\apps\TA-ms-teams-alert-action\lib\splunktaucclib\rest_handler\admin_external.py", line 82, in init\n
get_splunkd_endpoint(),\n File "D:\Program Files\Splunk\etc\apps\TA-ms-teams-alert-action\lib\splunktaucclib\rest_handler\admin_external.py", line 64, in get_splunkd_endpoint\n
splunkd_uri = get_splunkd_uri()\n
File "D:\Program Files\Splunk\etc\apps\TA-ms-teams-alert-action\lib\solnlib\splunkenv.py", line 209, in get_splunkd_uri\n
scheme, host, port = get_splunkd_access_info()\n
File "D:\Program Files\Splunk\etc\apps\TA-ms-teams-alert-action\lib\solnlib\splunkenv.py", line 181, in get_splunkd_access_info\n
if utils.is_true(get_conf_key_value("server", "sslConfig", "enableSplunkdSSL")):\n
File "D:\Program Files\Splunk\etc\apps\TA-ms-teams-alert-action\lib\solnlib\splunkenv.py", line 228, in get_conf_key_value\n
stanzas = get_conf_stanzas(conf_name)\n File "D:\Program Files\Splunk\etc\apps\TA-ms-teams-alert-action\lib\solnlib\splunkenv.py", line 274, in get_conf_stanzas\n
btool_cli, stdout=subprocess.PIPE, stderr=subprocess.PIPE\n File "D:\Program Files\Splunk\Python-3.7\lib\subprocess.py", line 800, in init\n
restore_signals, start_new_session)\n
File "D:\Program Files\Splunk\Python-3.7\lib\subprocess.py", line 1207, in _execute_child\n
startupinfo)\nOSError: [WinError 193] %1 is not a valid Win32 application\n

From Chrome:

Based on documentation it should be possible to have dynamic input in the OpenURL form the search:

Potential Action Name and Potential Action URL
These two items define the action link button and target that can automatically be added when the message is published in Microsoft Teams.

For this option to be activated, both of these items need to be configured, note that the URL can accept dynamic input fields resulting from the search.

For me it is not clear how to include them.
Eg.:

• Message field list
• • _time,stack,level,correlation-id
• OpenURL Potential Action URL
• • https://splunkcloud.com/app/test/find-dashboard?correlation-id=%correlation-id%

Where %correlation-id% should be replaced with the actual correlation-id.

If there are multiple events in the result set for an alert, this ends up generating invalid json and the alert action fails to send. Is this supposed to support multiple events or was it only meant to work for a single event in the result set?

For example, here is the json data generated from an alert on index=_internal | stats count by source (not a realistic alert, just something I used for testing purposes).

{
"@type": "MessageCard",
"@context": "http://schema.org/extensions",
"themeColor": "0076D7",
"summary": "Test 3",
"sections": [{
"activityTitle": "Test 3",
"activitySubtitle": "",
"facts": [
{
"name": "count",
"value": "2"
}
,{
"name": "source",
"value": "/opt/splunk/var/log/splunk/conf.log"
}
{
"name": "count",
"value": "4"
}
,{
"name": "source",
"value": "/opt/splunk/var/log/splunk/first_install.log"
}
{
"name": "count",
"value": "385"
}
,{
"name": "source",
"value": "/opt/splunk/var/log/splunk/health.log"
}
],
"markdown": false
}]
}

Each result has two fields, count and source. Between fields for a single event, the comma is placed appropriately but the comma is missing between events.

Hi Guys,

After Splunk Support upgraded our instance of Splunk Cloud to 8.2.2107, the alert action no longer works for non admin users.

I open a case in Splunk Support and they didn't find any problem in our stack, so they suggested me to reach you guys.

For us it's key to have non admin users (with the msteams_alert_action role, according to https://ta-ms-teams-alert-action.readthedocs.io/en/latest/configuration.html#using-the-alert-action-for-non-admin-users) creating alerts.

Thank you very much for your help with this!

Esteban

For cases where the alert query returns more than one line, put an option to render all lines on a single card, or send several cards containing each of the resulting lines.

We are thinking of switching over to this alert action from another less feature rich Teams connector. This connector appears much more configurable, however one thing that appears missing here is the ability to customize the themeColor on the MessageCard. This is important to us to indicate the type of alert being sent (e.g. red = something is broken, yellow is a warning, green is OK) Is that something you'd be open to adding as a configurable option?

Thanks!

Is it possible to send the Description field from the splunk alert through to the Teams notification? Similar to how you're currently passing the $name$ token.

I've tried adding 'description,$description$' to the Message Fields List without luck. Just fields from the search come through.
Thanks!
example splunk tokens: https://docs.splunk.com/Documentation/Splunk/8.1.2/Alert/EmailNotificationTokens

Recently, Teams app on IOS upgraded new version. So, this splunk app not compatible with new Teams app. Teams only show Tittle and not show message. Does any one have suggestions how to fix this?
Thanks

Hi,

Apoloies if this question was asked earlier, but I was not able to find it. I have non-admin users that are unable to configure the alert. They are getting the message that "This alert action does not require any user configuration"

User has the msteams_alert_action and the run_sendalert capabilties specified in issue #45

Read the documentation here: https://ta-ms-teams-alert-action.readthedocs.io/en/latest/configuration.html#using-the-alert-action-for-non-admin-users but I am not seeing anything about this.

Is there something I am missing somewhere ?

Thanks!

In environments with ssl interception there is an error of SSL: CERTIFICATE_VERIFY_FAILED

Is ther a workaround or the possibility to include this configuration?

Congrats for this project and thanks!

What is the suggested way to implement the HttpPOST Action such that the activity on MSTeams is sent back to splunk? Can you provide guidance? Thanks

AOB apps don't seem to have a default entry for the custom conf file they create. This will ensure the cluster replicates the settings to every member.

add server.conf in default folder with the following stanza and property:

[shclustering]
conf_replication_include.ta_ms_teams_alert_action_settings = true

Hello,

We are having some problems configuring the proxy in the Add-On.
If there is no proxy on our network, how can we set it? localhost:80?

Thank you.

When I try to post a table Splunk result to MS Teams, only the data of the first row is getting published. Is there any way to get the whole table published in table format itself.

Add-On was working good so far. But suddenly one alert triggered duplicate messages to Teams Channel and then stopped triggering altogether.

Fix - Missing name in id stanza section was reported be causing Splunk Cloud automation internal issues

• Addresses stability issues in the Python SDK, delivered via the release 1.6.15