All Apps and Add-ons

Alert Manager: How to retrieve an incident_id and a field from within that incident id from a search or api query

redacted
Explorer

I am looking to perform a rest lookup of an Alert Manager Incident ID and retrieve the fields that are included in the incident from the original alert. I can see these in the "Details" section of the alert when expanded showing as "Key" and "Value" I assume these are in the KV store somewhere, but I cannot seem to find them.

I can see the incident_id and actions performed against it in the "alerts" index, but I do not see any of fields that are put into the incident from the initial search/alert.

The fields I want are available in the initial index and the incident actions and notes are in the "alerts" index, is there any way to search and correlate the two?

Thanks

0 Karma
1 Solution

lweber
Path Finder

there are a few collections created by the Alert Manager, this could be the one you're looking for:
https://localhost:8089/servicesNS/nobody/alert_manager/storage/collections/data/incident_results

View solution in original post

lweber
Path Finder

there are a few collections created by the Alert Manager, this could be the one you're looking for:
https://localhost:8089/servicesNS/nobody/alert_manager/storage/collections/data/incident_results

redacted
Explorer

Thanks! that is almost what I was looking for, unfortunately these fields are still not listed in that data.

I was playing around with the app and if you paste the field you are looking for manually into the "comments" field alert manager will include that under the "notes" field in the "alerts" index and you can correlate all incident_id to the "notes" field

It is a horrible human hack, so I am hoping there is something I am missing somewhere.

0 Karma

redacted
Explorer

i took a look further through the data from that url and low and behold there was the data!!

Thanks Iweber!!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...