All Apps and Add-ons

Magnifying glass/drill-down for alerts is not working on Incident Posture in Alert Manager

chalak
Path Finder

Hello,

Please would you be able to help?

The magnifying glass/drill-down for alerts is not working for significant number of alerts. When clicked the magnifying glass next to a particular alert the AWS application is opened with the appropriate time range, however the search part of the URL is missing. Effectively the redirection from the icon is as follows:

splunk_app_aws/search?q=search &earliest=YYYY-MM-DD...&latest=YYYY-MM-DD...

Most of these alerts are based on searches which uses accelerated data models. I have noticed that an alert (in index=alerts) has the attribute eventSearch which does not contain full search query.

Thank you for any suggestions.

1 Solution

scannon4
SplunkTrust
SplunkTrust

I will post what I did to fix the event details not showing up at the bottom in Incident Posture. Maybe this will be the fix for your issue. When we upgraded alert_manager to the latest version, we apparently made some changes that created a local incident_posture.xml under /opt/splunk/etc/apps/alert_manager/local/data/ui/views. The upgrade did not update that file. I found that in that xml file that the section has a search under it. That search did NOT match the same search in the updated security_posture.xml that is under default/data/ui/views/. I copied the updated search from the new default file into my local file and restarted Splunk. Fixed the issue.

View solution in original post

Hector_Ramos
Explorer

Yes thanks, I was the one who also posted on GitHub. This was the fix!

0 Karma

scannon4
SplunkTrust
SplunkTrust

I will post what I did to fix the event details not showing up at the bottom in Incident Posture. Maybe this will be the fix for your issue. When we upgraded alert_manager to the latest version, we apparently made some changes that created a local incident_posture.xml under /opt/splunk/etc/apps/alert_manager/local/data/ui/views. The upgrade did not update that file. I found that in that xml file that the section has a search under it. That search did NOT match the same search in the updated security_posture.xml that is under default/data/ui/views/. I copied the updated search from the new default file into my local file and restarted Splunk. Fixed the issue.

Hector_Ramos
Explorer

Thank again, I was also the one who posted n GitHub. This was the fix for me!

0 Karma

scannon4
SplunkTrust
SplunkTrust

How do you mark an answer AS the answer? Is that something you do?

0 Karma

Hector_Ramos
Explorer

I tried to mark it as the answer but I think that's something that OP has to do unfortunately.

0 Karma

scannon4
SplunkTrust
SplunkTrust

Excellent I was not sure. 🙂

0 Karma

scannon4
SplunkTrust
SplunkTrust

Are you taking about when you expand an alert in the table at the bottom? Is that blank?
Also is this not working after an upgrade?

0 Karma

Hector_Ramos
Explorer

I'm having this issue as well with version 2.2.2. Hope someone posts an answer soon!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...