All Apps and Add-ons

Alert Manager: Why are no alerts showing up in a cloned Incident Posture dashboard?

Moonveil
Explorer

Hello,

I wanted to play around with Incident Posture without modifying the original, so I created a clone of the dashboard. However, I am having issues getting the alerts to display properly in the clone. The alerts show up just fine in the original incident posture dashboard, and I haven't made any code modifications in the clone, so I'm not sure why that is.

I can only see the top half in the cloned dashboard, (the part with trending information and the dropdowns/filters for "Recent Incidents"), but the alerts that should show up in the bottom half is just blank. I don't see any errors printed in the console, and if I select "Edit Panels" and look at the search string, it is exactly the same as the one in the original.

Is there something hardcoded in the javascript files that I need to change in order for the alerts to be populated in cloned dashboards? Any help on this matter is greatly appreciated.

Thank you.

1 Solution

Moonveil
Explorer

To answer my own question, the issue is caused by the "Incident ID", "Title", and "Freeform Filter" fields. After checking Activity > Jobs, it looks like in the original dashboard, the token values are applied automatically when the search is run, so you'll see the alerts even if you leave those three fields blank. However, this is not the case for cloned dashboards.

To get the alerts to show up, just set * as the default value for those three fields, or type it in manually and the alerts should display properly.

View solution in original post

Moonveil
Explorer

To answer my own question, the issue is caused by the "Incident ID", "Title", and "Freeform Filter" fields. After checking Activity > Jobs, it looks like in the original dashboard, the token values are applied automatically when the search is run, so you'll see the alerts even if you leave those three fields blank. However, this is not the case for cloned dashboards.

To get the alerts to show up, just set * as the default value for those three fields, or type it in manually and the alerts should display properly.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...