icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

We are working on something new...

A Fresh New Splunkbase
We are designing a New Splunkbase to improve search and discoverability of apps. Check out our new and improved features like Categories and Collections. New Splunkbase is currently in preview mode, as it is under active development. We welcome you to navigate New Splunkbase and give us feedback.
Splunkbase will be undergoing a scheduled migration and will be unavailable on Saturday, Oct 1, 2022, from 11AM to 3PM PDT

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Slack Add-on for Splunk
SHA256 checksum (slack-add-on-for-splunk_200.tgz) 7cb81dde5f6234b1b3c211a70eb10bee7b444cc24994daacee132375da441067 SHA256 checksum (slack-add-on-for-splunk_109.tgz) 584454ec2f178bf5d2a1c9ff873a44acd855811b355bc0d86505962d58abd60b
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate


Slack Add-on for Splunk

Splunk Cloud
Splunk Labs
This app is NOT supported by Splunk. Please read about what that means for you here.
This add-on is designed to provide comprehensive data collection and field extraction for Slack Enterprise Grid Organization Audit Logs.

While this app is not formally supported, the developer can be reached at gsa-request@splunk.com. Responses are made on a best-effort basis. Feedback is always welcome and appreciated!
Learn more about splunk-usergroups slack here: https://docs.splunk.com/Documentation/Community/current/community/Chat#Join_us_on_Slack

Slack Add-on for Splunk

The Slack Add-on for Splunk uses the Slack Audit Logs API to fetch Slack Enterprise Grid Audit Logs into Splunk.

Getting Started

The Audit Logs API is for monitoring the audit events happening in an Enterprise Grid organization to ensure continued compliance, to safeguard against any inappropriate system access, and to allow you to audit suspicious behavior within your enterprise.

The idea is to give Enterprise Grid organization owners the ability to query user actions in a workspace. With this API, you could:

  • Automatically feed Slack access data into an SIEM or other auditing tool
  • Proactively monitor for potential security issues or malicious access attempts
  • Write custom apps to gain insight into how your organization uses Slack

Learn more about Monitoring with the Audit Logs API

Installation and Configuration Steps

This application can be installed an On-Prem or Cloud deployments of Splunk.

Installation Steps for on-prem

Install the TA on one of the Heavy Forwarder(s). Ensure to copy over eventtypes.conf, props.conf and tags.conf over to your search head to make sure field aliases, event types and tags for data model mapping comes through.

Installation Steps for cloud

Create a support ticket with APP-CERT reference to get the app installed on a Cloud instance OR follow the cloud-ops recommended set of actions to install non-published applications.

Configuration steps

The configuration steps are common for on-prem and cloud. Please follow the following steps in order:
1. Open the Web UI for the Heavy Forwarder (or IDM).
2. Navigate to the Splunk Add on for Slack from the Manage Apps Section. Be sure not to configure the inputs from the Data Inputs section of Splunk, as this could lead to some unexpected failures.
3. Navigate to the Configuration page of the Add-on and click on the Add button.
4. Enter a name in the Slack Account name textbox.
5. Click on the Add to Slack button to generate your Access Token, beginning with xoxp (with scope auditlogs:read). Follow the instructions below to generate this. If you brought your own, paste the Access Token here.
6. Click on Add to save this configuration.
7. Navigate to the Inputs tab.
8. Click on Create New Input button on the top right corner.
9. Enter the following details:
- Name (required): Provide a unique name for the input.
- Interval (required): Provide a number in seconds for the query interval.
- Index (required): Select the index from the dropdown list. Set the default index to be slack_audit, if using in conjuction with the Slack Audit App for Splunk.
- Start Time (required): Enter the time from which to begin querying, in the format yyyy-mm-dd hh:mm:ss. The default has been set to 2018-01-01 00:00:00.
- Enterprise Slack Account (required): Select the Account configured on Step 6.
10. Click on Add to save the input.
11. To check for any logs or errors, navigate to the Search tab and enter the below search index=_internal source="*ta_slack_add_on_for_splunk_*.log".

Access Token Generation - Authentication Step

  1. Click on the Add to Slack button to initiate the Authentication flow.
  2. Sign into your organization's Enterprise Grid Slack account from the Sign in page. Please note : Audit logs can only be retrieved by the org owner in a Slack Enterprise account.
  3. You will be presented with a screen to authorize the Slack Audit API App to collect the audit log information from your Enterprise Grid account. Click on Content and info about you and the Administer Slack for your organization options to see what the app can view. Should you see this screen, skip step 4 and proceed onto 5.
  4. If you are not presented with the content in Step 3, close the dialog box and re-initiate the authentication process from Step 1.
  5. Click on Allow to generate your access token.
  6. The access token should now be generated. On the Access Token Generated page, click on the Copy Access Token button to copy the token to your clipboard and close the pop up window.
  7. Manually paste the Access token into the Access Token text box of your Input configuration page.
  8. The Access token should be about 79-80 characters long. If the character length of the pasted token isn't roughly the same size, re-initiate the authentication process to generate the token from Step 1.

Pre-requisites, FAQ and Troubleshooting

  1. Initially, the sheer volume of audit logs could be large.
  2. The checkpoints used in the add-on reside in the KV store. Ensure sufficient permissions and access to the KV Store.
  3. If a run of the add-on stopped for any reason, a checkpoint for each input will be stored, with the name ending with _last_accessed_url. This is an indication of an error that must have occurred in the previous run. The input can be restarted (Disable the input first and then enable it) after the cause of failure has been fixed, so it picks up the run from the recorded last successful run.
  4. If using in conjuction with the Slack Audit App for Splunk, ensure the target index is configured as slack_audit, so that the dashboards on the app populate automatically.
  5. Ensure not to configure the inputs from the Data Inputs section of Splunk, as this could lead to some unexpected failures.
  6. If you observe that the field extraction of _time does not match the field date_create, ensure to add an additional line in props.conf under the slack:audit stanza like shown below and deploy it to all indexers.
    TIME_PREFIX = \"date_create\"\:

Release Notes

Version 2.0.0
July 28, 2022

Python 3 libs and Jquery updates.
Support for Splunk Cloud.

Version 1.0.9
Sept. 12, 2020

Fixed timestamp recognition to point to date_create field

Subscribe Share

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
Splunk, Splunk>,Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk Inc. in the United States and other countries. All other brand names,product names,or trademarks belong to their respective owners.