Hi everyone,
I have installed the alert manager on a single splunk instance (indexer/search head all together).
I used the same procedure that I have been using to install it before:
Install the add-on, install the app itself, copy and paste the alert_handler.py script under /alert_manager/bin/scripts.
I didn't create a sym link, because when I did it, splunk couldn't find my script.
The alert manager is actual running properly, but I can't manipulate the fields of the incident on the incident settings.
I can' because the search on the incident_settings page doesn't produce any results, so basically my file : inputlookup incident_settings doesn't exist.
Splunk is running as root, the permission of all my apps, searches, everything are global. I m also able to query my kv stores, I checked with all the other lookup files that the alert manager creates.
Checking on splunkd.log I got this error:
11-27-2015 11:23:07.217 +0000 ERROR script - sid:scheduler__admin_aW50ZWdyaXR5LXNpZW0__RMD5ffc946a04a0b88fb_at_1448623380_16769 command="runshellscript", Script: /opt/splunk/bin/scripts/alert_handler.py exited with status code: 1
That's, I guess, is the reason why I'm not able to write on the incident_results lookup.
Could please someone helps me to solve this issue? I think is only related to the script.
Thanks a million.
Ok, I found a solution.
The problem wasn't the script but the incident settings page, basically I copied the xml code from an older version of the alert manager in the new one and it's working fine : )
Ok, I found a solution.
The problem wasn't the script but the incident settings page, basically I copied the xml code from an older version of the alert manager in the new one and it's working fine : )