All Apps and Add-ons
Highlighted

Alert Manager: Why are no alerts showing up in a cloned Incident Posture dashboard?

Explorer

Hello,

I wanted to play around with Incident Posture without modifying the original, so I created a clone of the dashboard. However, I am having issues getting the alerts to display properly in the clone. The alerts show up just fine in the original incident posture dashboard, and I haven't made any code modifications in the clone, so I'm not sure why that is.

I can only see the top half in the cloned dashboard, (the part with trending information and the dropdowns/filters for "Recent Incidents"), but the alerts that should show up in the bottom half is just blank. I don't see any errors printed in the console, and if I select "Edit Panels" and look at the search string, it is exactly the same as the one in the original.

Is there something hardcoded in the javascript files that I need to change in order for the alerts to be populated in cloned dashboards? Any help on this matter is greatly appreciated.

Thank you.

Highlighted

Re: Alert Manager: Why are no alerts showing up in a cloned Incident Posture dashboard?

Explorer

To answer my own question, the issue is caused by the "Incident ID", "Title", and "Freeform Filter" fields. After checking Activity > Jobs, it looks like in the original dashboard, the token values are applied automatically when the search is run, so you'll see the alerts even if you leave those three fields blank. However, this is not the case for cloned dashboards.

To get the alerts to show up, just set * as the default value for those three fields, or type it in manually and the alerts should display properly.

View solution in original post

Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.