All Apps and Add-ons
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Alert Manager App: The alerts index has data, by why are no alerts displayed on any dashboards?

rmeyer20
Engager
‎02-11-2016 07:51 AM

I am using the Alert Manager app v2.0 on Splunk 6.3. I cannot get it to show any alerts on the Incident Posture screen. I also see "no records" trying to use the pivot screen, but when I do a simple search on index=alerts, I see records. I also see "incident created" messages in the log files, but nothing seems to show up on any of the screens for the Alert Manager application. I see in the logs that it is creating incidents and that it is then firing off the incident_created event. I see in the alert-handler log that it is firing for event=incident_created. And when I search index=alerts, I see records which seem to indicate incidents are getting created, but the Incident Posture screen is empty and I can't seem to pull anything up.

There are two other clues to this .... first is that on the Incident Posture screen, I don't see the colored squares with numbers in them (which is what the doc shows and what I used to see in the old version, which also wasn't getting incidents in). Instead I see "N/A" in those five areas below the time-range picker and above the Recent Incidents and selection criteria (Recent Incidents is blank). The second clue is that when I go to the Pivot within Alert Manager, I see a message which says Eventtype 'incident_change' does not exist or is disabled. I also see "Eventtype 'alert_metadata' does not exist or is disabled. " when I choose All Alerts.

Is there anybody who can assist with this?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rmeyer20
Engager
‎02-12-2016 07:10 AM

I was able to answer my own question with this. I had upgraded the Alert Manager app from v1.1 to 2.0. I chose the "upgrade" process from the web UI to perform the app upgrade. I think it left some bad conf files in the local directory of the app. Also, there is a part of the install which had not completed properly, which was the add-on for TA-alert_manager-master files, which are a set of conf files which go on the indexers. So basically, I completely removed what was there for the app. I installed the master files on the indexers, and installed the alert_manager app on the search head, and all issues went away.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

rmeyer20
Engager
‎02-12-2016 07:10 AM

I was able to answer my own question with this. I had upgraded the Alert Manager app from v1.1 to 2.0. I chose the "upgrade" process from the web UI to perform the app upgrade. I think it left some bad conf files in the local directory of the app. Also, there is a part of the install which had not completed properly, which was the add-on for TA-alert_manager-master files, which are a set of conf files which go on the indexers. So basically, I completely removed what was there for the app. I installed the master files on the indexers, and installed the alert_manager app on the search head, and all issues went away.

0 Karma
Reply
Solved! Jump to solution

bluemarvel
Path Finder
‎06-15-2016 08:43 AM

what are the master files you are referring to

0 Karma
Reply
Get Updates on the Splunk Community!

New This Month - Splunk Observability updates and improvements for faster ...

What’s New? This month, we’re delivering several enhancements across Splunk Observability Cloud for faster and ...

What's New in Splunk Cloud Platform 9.3.2411?

Hey Splunky People! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2411. This release ...

Buttercup Games: Further Dashboarding Techniques (Part 6)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
li.common.scroll-to.top