- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Please would you be able to help?
The magnifying glass/drill-down for alerts is not working for significant number of alerts. When clicked the magnifying glass next to a particular alert the AWS application is opened with the appropriate time range, however the search part of the URL is missing. Effectively the redirection from the icon is as follows:
splunk_app_aws/search?q=search &earliest=YYYY-MM-DD...&latest=YYYY-MM-DD...
Most of these alerts are based on searches which uses accelerated data models. I have noticed that an alert (in index=alerts) has the attribute eventSearch which does not contain full search query.
Thank you for any suggestions.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I will post what I did to fix the event details not showing up at the bottom in Incident Posture. Maybe this will be the fix for your issue. When we upgraded alert_manager to the latest version, we apparently made some changes that created a local incident_posture.xml under /opt/splunk/etc/apps/alert_manager/local/data/ui/views. The upgrade did not update that file. I found that in that xml file that the section has a search under it. That search did NOT match the same search in the updated security_posture.xml that is under default/data/ui/views/. I copied the updated search from the new default file into my local file and restarted Splunk. Fixed the issue.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes thanks, I was the one who also posted on GitHub. This was the fix!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I will post what I did to fix the event details not showing up at the bottom in Incident Posture. Maybe this will be the fix for your issue. When we upgraded alert_manager to the latest version, we apparently made some changes that created a local incident_posture.xml under /opt/splunk/etc/apps/alert_manager/local/data/ui/views. The upgrade did not update that file. I found that in that xml file that the section has a search under it. That search did NOT match the same search in the updated security_posture.xml that is under default/data/ui/views/. I copied the updated search from the new default file into my local file and restarted Splunk. Fixed the issue.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank again, I was also the one who posted n GitHub. This was the fix for me!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do you mark an answer AS the answer? Is that something you do?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried to mark it as the answer but I think that's something that OP has to do unfortunately.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Excellent I was not sure. 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you taking about when you expand an alert in the table at the bottom? Is that blank?
Also is this not working after an upgrade?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm having this issue as well with version 2.2.2. Hope someone posts an answer soon!
