All Apps and Add-ons

Magnifying glass/drill-down for alerts is not working on Incident Posture in Alert Manager

chalak
Path Finder

Hello,

Please would you be able to help?

The magnifying glass/drill-down for alerts is not working for significant number of alerts. When clicked the magnifying glass next to a particular alert the AWS application is opened with the appropriate time range, however the search part of the URL is missing. Effectively the redirection from the icon is as follows:

splunk_app_aws/search?q=search &earliest=YYYY-MM-DD...&latest=YYYY-MM-DD...

Most of these alerts are based on searches which uses accelerated data models. I have noticed that an alert (in index=alerts) has the attribute eventSearch which does not contain full search query.

Thank you for any suggestions.

1 Solution

scannon4
SplunkTrust
SplunkTrust

I will post what I did to fix the event details not showing up at the bottom in Incident Posture. Maybe this will be the fix for your issue. When we upgraded alert_manager to the latest version, we apparently made some changes that created a local incident_posture.xml under /opt/splunk/etc/apps/alert_manager/local/data/ui/views. The upgrade did not update that file. I found that in that xml file that the section has a search under it. That search did NOT match the same search in the updated security_posture.xml that is under default/data/ui/views/. I copied the updated search from the new default file into my local file and restarted Splunk. Fixed the issue.

View solution in original post

Hector_Ramos
Explorer

Yes thanks, I was the one who also posted on GitHub. This was the fix!

0 Karma

scannon4
SplunkTrust
SplunkTrust

I will post what I did to fix the event details not showing up at the bottom in Incident Posture. Maybe this will be the fix for your issue. When we upgraded alert_manager to the latest version, we apparently made some changes that created a local incident_posture.xml under /opt/splunk/etc/apps/alert_manager/local/data/ui/views. The upgrade did not update that file. I found that in that xml file that the section has a search under it. That search did NOT match the same search in the updated security_posture.xml that is under default/data/ui/views/. I copied the updated search from the new default file into my local file and restarted Splunk. Fixed the issue.

Hector_Ramos
Explorer

Thank again, I was also the one who posted n GitHub. This was the fix for me!

0 Karma

scannon4
SplunkTrust
SplunkTrust

How do you mark an answer AS the answer? Is that something you do?

0 Karma

Hector_Ramos
Explorer

I tried to mark it as the answer but I think that's something that OP has to do unfortunately.

0 Karma

scannon4
SplunkTrust
SplunkTrust

Excellent I was not sure. 🙂

0 Karma

scannon4
SplunkTrust
SplunkTrust

Are you taking about when you expand an alert in the table at the bottom? Is that blank?
Also is this not working after an upgrade?

0 Karma

Hector_Ramos
Explorer

I'm having this issue as well with version 2.2.2. Hope someone posts an answer soon!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...