Skip to main content

How to Obtain Slack Data for eDiscovery and Investigations

April 26, 2018  |  7 min read

Slack Chat Abstract

We've updated our Guide to Discovery and Investigations in Slack! A guide to handling Slack data in litigation and internal investigations, this guide lays out the basics of Slack, from an introduction to the app, to Slack preservation settings, how to export data from Slack, and tips for efficient, effective review. Read it online or download your copy here. 

On Monday, Logikcull launched its new Slack feature, allowing legal teams to deal with Slack data simply and easily. This feature opens up a whole new world of valuable data for modern legal professionals, as the email inbox is increasingly replaced by other forms of communication. Companies that adopt Slack, for example, see email usage decline by 48.6 percent on average. And that’s a lot of companies. Slack has more than seven million daily users and is used by more than 70 percent of the Fortune 100. If you’re not dealing with Slack data, you’re letting potentially game-changing evidence go undiscovered.

Slack data can be extremely rich. Each message log contains information on text, attachments, response types, edits and deletions, and more. In addition to messages, Slack’s integrations allow it to operate as a centralized hub for all sorts of information. A Slack integration can create a notification every time a spreadsheet is updated, for example, or allow you to make payroll and finance decisions directly from the platform.

Slack’s app directory lists dozens of apps broken down by categories such as file management, finance, project management, security and compliance, and more. The Time Doctor app tracks user activities and provides statistics on “where time was spent such as viewing websites and applications used when working.” The Stripe app sends messages when charges are made, invoices updated, transfers sent and more. The Spectr app offers real-time legal advice, delivered directly in Slack, from a “professional legal advisor.” These are in addition to incredibly popular integrations like Google Drive, Zoom, Jira, and Salesforce.

A poll in Slack.

All of this creates a potentially discoverable record within Slack.

But how do you get that data in the first place?

Exporting Data From Slack

For teams looking into Slack data, accessing everything Slack records can be difficult. First, the type of Slack plan one has will impact how easily Slack data can be retrieved. Right now, Slack has four primary pricing plans:

  • Free plans, primarily used by smaller organizations
  • Standard plans, designed for most businesses
  • Plus plans, allowing for more control over data
  • Enterprise plans, for large organizations operating across several Slack workspaces

Currently, Slack allows workspace owners and administrators, across all plans, to easily export data from public channels.

That data includes public messages, public files, archived channels, and integration activity logs.     

To obtain data on editing and deletion, or to access records from private channels and direct messages, the process is more difficult.

Administrators of free and standard plans must request access to export all workspace data. They are required to provide either:

  • Valid legal process,
  • Consent of members, or
  • A requirement or right under applicable laws

Enterprise customers, on the other hand, can export all data, public or private, and may integrate third-party applications to export, retain, and archive messages and files continuously.

Currently, data exports are obtained through what Slack calls a “Compliance Export.” Slack data can be exported, depending on a plan’s particular limitations, from a workspace’s administration menu. (Here’s a step-by-step guide.) Slack is ending their Compliance Export feature on May 25, 2018, however, and replacing it with “Corporate Export.” Through Corporate Export, administrators will need to create a request to export all their Slack data. (Here’s how that’s done.)

Once your export is ready, it can be downloaded in a .zip file with message history in JSON format and links to shared files.

Data Retention In Slack

Keep in mind, too, what Slack data may be available. Slack can quickly generate vast amounts of information. There are, first and foremost, the millions of messages that can be exchanged in a workspace in one day. Then there is the associated metadata, the timestamps, channel information, edit logs and the like. And don’t forget all the records created by integrations.

By default, that data is stored forever. But, Slack allows workspace owners to customize their message and file retention policies. Files may be kept for the lifetime of the workspace or deleted after a specified time period.

Message retention can be set to:

  • Retain everything, forever
  • Retain all messages but not revisions
  • Delete messages and revisions after a specified period
  • Let users set their own retention policies

Retaining all information is Slack’s default setting. If an administrator does not take action to change their retention policy, they could soon find themselves sitting upon a vast history of Slack conversations, reactions, integrations, and more—a potentially valuable resource, or a possibly costly liability, depending on your perspective.

Under the last option, individual team members control the retention of data in private channels and direct messages. One user’s messages could be eradicated at the end of every day, while another’s are preserved for all time. It's not the cleanest approach to information governance.

How a workspace’s data is retained will impact what is available for export and, subsequently, use in an investigation or discovery process.

Making Sense of Slack Data

Then there’s a question of what to do with that information once you have it. As mentioned above, Slack exports come in JSON format. JSON is the JavaScript Object Notation file format. JSON makes exchanging data between machines easy. To interpret that data, however, you need a degree in computer programming—or a tool that can make sense of it.

Here, for example, is what a simple record of a user joining a channel looks like when exported directly from Slack:


"user": "UA0JHQYUT",

"text": "<@UA0JHQYUT> has joined the channel",

"type": "message",

"subtype": "channel_join",

"ts": "1522794741.000217"


The more complex a record becomes, the more difficult it is to parse. The information for a single comment on a shared file, for example, can easily stretch over three pages, almost all of it nearly indecipherable. This is not data that’s made for easy review.

To take advantage of Slack data, you’ll need a tool that allows you to make sense of it. Today, Logikcull lets you do so easily, intuitively, and reliably.  Once your data is exported from Slack, it can quickly be uploaded to Logikcull. During the upload process, that data goes through 3,000 automated processing steps: text is rendered and indexed for the most accurate eDiscovery search available, metadata is extracted and preserved to protect against spoliation, quality control tags are applied, and much more.

Most importantly, Logikcull turns Slack data from this:


  “user”: “U6NJNUGSH”,

  “inviter”: “U5KTXUGSW”,

  “text”: “ has joined the channel”,

  “type”: “message”,

  “subtype”: “channel_join”,

“ts”: “1502749986.378906”



  “user”: “U026B7H8B”,

      “inviter”: “U5KTXUGSW”,

      “text”: “ has joined the channel”,

      “type”: “message”,

      “subtype”: “channel_join”,

      “ts”: “1502749986.378906”


To this:

A rendering of Slack data in Logikcull ediscovery and investigations platform

It’s the closest thing a legal team can get to a searchable log of all conversation and knowledge, to Slack.

For more information on discovery and investigations in Slack, download our new guide here.


This post was authored by Casey C. Sullivan, who leads education and awareness efforts at Logikcull. You can reach him at or on Twitter at @caseycsull.