All Apps and Add-ons

Alert Manager: Why are no alerts showing up in a cloned Incident Posture dashboard?

Moonveil
Explorer

Hello,

I wanted to play around with Incident Posture without modifying the original, so I created a clone of the dashboard. However, I am having issues getting the alerts to display properly in the clone. The alerts show up just fine in the original incident posture dashboard, and I haven't made any code modifications in the clone, so I'm not sure why that is.

I can only see the top half in the cloned dashboard, (the part with trending information and the dropdowns/filters for "Recent Incidents"), but the alerts that should show up in the bottom half is just blank. I don't see any errors printed in the console, and if I select "Edit Panels" and look at the search string, it is exactly the same as the one in the original.

Is there something hardcoded in the javascript files that I need to change in order for the alerts to be populated in cloned dashboards? Any help on this matter is greatly appreciated.

Thank you.

1 Solution

Moonveil
Explorer

To answer my own question, the issue is caused by the "Incident ID", "Title", and "Freeform Filter" fields. After checking Activity > Jobs, it looks like in the original dashboard, the token values are applied automatically when the search is run, so you'll see the alerts even if you leave those three fields blank. However, this is not the case for cloned dashboards.

To get the alerts to show up, just set * as the default value for those three fields, or type it in manually and the alerts should display properly.

View solution in original post

Moonveil
Explorer

To answer my own question, the issue is caused by the "Incident ID", "Title", and "Freeform Filter" fields. After checking Activity > Jobs, it looks like in the original dashboard, the token values are applied automatically when the search is run, so you'll see the alerts even if you leave those three fields blank. However, this is not the case for cloned dashboards.

To get the alerts to show up, just set * as the default value for those three fields, or type it in manually and the alerts should display properly.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...