All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Magnifying glass/drill-down for alerts is not working on Incident Posture in Alert Manager

chalak
Path Finder
‎03-07-2018 02:36 AM

Hello,

Please would you be able to help?

The magnifying glass/drill-down for alerts is not working for significant number of alerts. When clicked the magnifying glass next to a particular alert the AWS application is opened with the appropriate time range, however the search part of the URL is missing. Effectively the redirection from the icon is as follows:

splunk_app_aws/search?q=search &earliest=YYYY-MM-DD...&latest=YYYY-MM-DD...

Most of these alerts are based on searches which uses accelerated data models. I have noticed that an alert (in index=alerts) has the attribute eventSearch which does not contain full search query.

Thank you for any suggestions.

Reply
1 Solution
Solved! Jump to solution
Solution

scannon4
Communicator
‎06-20-2018 11:30 AM

I will post what I did to fix the event details not showing up at the bottom in Incident Posture. Maybe this will be the fix for your issue. When we upgraded alert_manager to the latest version, we apparently made some changes that created a local incident_posture.xml under /opt/splunk/etc/apps/alert_manager/local/data/ui/views. The upgrade did not update that file. I found that in that xml file that the section has a search under it. That search did NOT match the same search in the updated security_posture.xml that is under default/data/ui/views/. I copied the updated search from the new default file into my local file and restarted Splunk. Fixed the issue.

View solution in original post

Reply
Solved! Jump to solution

Hector_Ramos
Explorer
‎06-20-2018 11:41 AM

Yes thanks, I was the one who also posted on GitHub. This was the fix!

0 Karma
Reply
Solved! Jump to solution
Solution

scannon4
Communicator
‎06-20-2018 11:30 AM

I will post what I did to fix the event details not showing up at the bottom in Incident Posture. Maybe this will be the fix for your issue. When we upgraded alert_manager to the latest version, we apparently made some changes that created a local incident_posture.xml under /opt/splunk/etc/apps/alert_manager/local/data/ui/views. The upgrade did not update that file. I found that in that xml file that the section has a search under it. That search did NOT match the same search in the updated security_posture.xml that is under default/data/ui/views/. I copied the updated search from the new default file into my local file and restarted Splunk. Fixed the issue.

Reply
Solved! Jump to solution

Hector_Ramos
Explorer
‎06-20-2018 11:45 AM

Thank again, I was also the one who posted n GitHub. This was the fix for me!

0 Karma
Reply
Solved! Jump to solution

scannon4
Communicator
‎06-20-2018 12:08 PM

How do you mark an answer AS the answer? Is that something you do?

0 Karma
Reply
Solved! Jump to solution

Hector_Ramos
Explorer
‎06-20-2018 12:11 PM

I tried to mark it as the answer but I think that's something that OP has to do unfortunately.

0 Karma
Reply
Solved! Jump to solution

scannon4
Communicator
‎06-20-2018 11:52 AM

Excellent I was not sure. 🙂

0 Karma
Reply
Solved! Jump to solution

scannon4
Communicator
‎06-20-2018 11:20 AM

Are you taking about when you expand an alert in the table at the bottom? Is that blank?
Also is this not working after an upgrade?

0 Karma
Reply
Solved! Jump to solution

Hector_Ramos
Explorer
‎06-11-2018 02:47 PM

I'm having this issue as well with version 2.2.2. Hope someone posts an answer soon!

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...