icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

We are working on something new...

A Fresh New Splunkbase
We are designing a New Splunkbase to improve search and discoverability of apps. Check out our new and improved features like Categories and Collections. New Splunkbase is currently in preview mode, as it is under active development. We welcome you to navigate New Splunkbase and give us feedback.
Log4Shell Vulnerability: Information and guidance for you. Get resources.

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Slack Audit App for Splunk
SHA256 checksum (slack-audit-app-for-splunk_109.tgz) 0c6d2079809f7812fb797efcb022d8d0e0e60ca7c929280e8892f4c39599b0a7
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate


Slack Audit App for Splunk

Splunk Cloud
Splunk Labs
This app is NOT supported by Splunk. Please read about what that means for you here.
The Slack Audit App for Splunk provides interactive searches and visualizations for monitoring what is happening in your Enterprise Grid organization. It works in conjunction with the Slack Add-on for Splunk, which is used to retrieve Slack Audit logs for your organization.

Slack Audit App for Splunk

The Slack Audit App for Splunk gives you critical insights into your Slack Enterprise Grid account.

The app includes:
A pre-built knowledge base of dashboards that deliver real-time visibility into your environment.
The dashboards showcase
- User Logins and Admin actions such as Users Added
- Popular App Installations, Approved and Retricted App Details
- File Activity
- Workspace Preference Change Activity
- Private/Public Channel Creations, User/Guest Joins and External Shared Channel Details

Setup Instructions

The Slack Audit App for Splunk needs Audit log data to be indexed into the slack_audit index.
Use the Technology Add-on to retrieve Slack Audit Logs : Slack Add-on for Splunk
Be sure to set the index to retrieve these logs into, to be named slack_audit

Preferences Activity Dashboard

The Preferences Activity Dashboard has the Event Timeline panel that relies on the Event Timeline App to be installed. Download the app to see the panel show up.


  • Verify that the the Slack Audit Logs are being populated into the right index, i.e., slack_audit
  • Verify that the Splunk account has access to the index containing the audit logs.
  • If not, perform the below steps to change the macro definition :
    • Navigate to Settings -> Advanced Search -> Search Macros
    • Set the App Context to be Slack Audit App for Splunk, Owner to be Any and Visible in the App
    • Click on the macro named slack_audit_log_index
    • Under its definition, change the name of the index to the index where slack audit log data is currently being populated.
    • Should you configure to index audit logs into multiple indexes, for example sending audit logs of different Enterprise Grid Slack Accounts/Organizations into different indexes, change the macro to reflect those indexes as well. For instance :
      • Production Enterprise Slack Account Audit log index : slack_audit
      • Dev Enterprise Slack Account Audit log index : slack_audit_dev
      • New macro definition : (index=slack_audit OR index=slack_audit_dev)
    • Click on Save to save the new configuration
    • Re-open the Slack Audit App for Splunk to see the dashboards displaying data.
  • Preferences Activity dashboard would require installation of the Event Timeline App

Please be advised that using this integration is permitted subject to your obligations, including data privacy obligations, under your agreement with Splunk.

Release Notes

Version 1.0.9
Aug. 7, 2020
  • Searches in all dashboards updated
  • File Statistics Dashboards updated for bug fixes

Subscribe Share

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
Splunk, Splunk>,Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk Inc. in the United States and other countries. All other brand names,product names,or trademarks belong to their respective owners.