Hi,

We are having issues integrating full compatibility of Splunk Enterprise alerts in Opsgenie. The current Splunk app for opsgenie is not editable like slack or e-mail where you can choose what to capture directly from it. This is somewhat limiting our delivery of alerts and making them less dynamic. The fields captured by opsgenie do not have the critical component that we would like to hve, i.e MESSAGE.

To give you a bit of insight, our team is a 24x7 NOC that should receive Splunk alerts forwarded into Opsgenie and the alert must contain free text input related to triage steps and confluence links.

I would like to know if there are other alternatives in Splunk for example to concatenate free text in a splunk search query that can be captured by opsgenie current setup, for example:

Base query

index=*titanic*

and

Free Text Query

index=*titanic* | It doesn't end well

In the latter example, I want to make splunk concatenate the text to the search where i can append it to an alert and the freetext part would include the necessary triage steps and links needed for my team to go directly to conflueence.

I don't know if this is possible but maybe someone knows.