Are you a member of the Splunk Community?
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- Re: Alert Manager App: The alerts index has data, ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am using the Alert Manager app v2.0 on Splunk 6.3. I cannot get it to show any alerts on the Incident Posture screen. I also see "no records" trying to use the pivot screen, but when I do a simple search on index=alerts, I see records. I also see "incident created" messages in the log files, but nothing seems to show up on any of the screens for the Alert Manager application. I see in the logs that it is creating incidents and that it is then firing off the incident_created event. I see in the alert-handler log that it is firing for event=incident_created. And when I search index=alerts, I see records which seem to indicate incidents are getting created, but the Incident Posture screen is empty and I can't seem to pull anything up.
There are two other clues to this .... first is that on the Incident Posture screen, I don't see the colored squares with numbers in them (which is what the doc shows and what I used to see in the old version, which also wasn't getting incidents in). Instead I see "N/A" in those five areas below the time-range picker and above the Recent Incidents and selection criteria (Recent Incidents is blank). The second clue is that when I go to the Pivot within Alert Manager, I see a message which says Eventtype 'incident_change' does not exist or is disabled. I also see "Eventtype 'alert_metadata' does not exist or is disabled. " when I choose All Alerts.
Is there anybody who can assist with this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was able to answer my own question with this. I had upgraded the Alert Manager app from v1.1 to 2.0. I chose the "upgrade" process from the web UI to perform the app upgrade. I think it left some bad conf files in the local directory of the app. Also, there is a part of the install which had not completed properly, which was the add-on for TA-alert_manager-master files, which are a set of conf files which go on the indexers. So basically, I completely removed what was there for the app. I installed the master files on the indexers, and installed the alert_manager app on the search head, and all issues went away.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was able to answer my own question with this. I had upgraded the Alert Manager app from v1.1 to 2.0. I chose the "upgrade" process from the web UI to perform the app upgrade. I think it left some bad conf files in the local directory of the app. Also, there is a part of the install which had not completed properly, which was the add-on for TA-alert_manager-master files, which are a set of conf files which go on the indexers. So basically, I completely removed what was there for the app. I installed the master files on the indexers, and installed the alert_manager app on the search head, and all issues went away.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
what are the master files you are referring to
Tech Talk Recap | Mastering Threat Hunting
Observability for AI Applications: Troubleshooting Latency
Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?
