All Apps and Add-ons

Magnifying glass/drill-down for alerts is not working on Incident Posture in Alert Manager

chalak
Path Finder

Hello,

Please would you be able to help?

The magnifying glass/drill-down for alerts is not working for significant number of alerts. When clicked the magnifying glass next to a particular alert the AWS application is opened with the appropriate time range, however the search part of the URL is missing. Effectively the redirection from the icon is as follows:

splunk_app_aws/search?q=search &earliest=YYYY-MM-DD...&latest=YYYY-MM-DD...

Most of these alerts are based on searches which uses accelerated data models. I have noticed that an alert (in index=alerts) has the attribute eventSearch which does not contain full search query.

Thank you for any suggestions.

1 Solution

scannon4
Communicator

I will post what I did to fix the event details not showing up at the bottom in Incident Posture. Maybe this will be the fix for your issue. When we upgraded alert_manager to the latest version, we apparently made some changes that created a local incident_posture.xml under /opt/splunk/etc/apps/alert_manager/local/data/ui/views. The upgrade did not update that file. I found that in that xml file that the section has a search under it. That search did NOT match the same search in the updated security_posture.xml that is under default/data/ui/views/. I copied the updated search from the new default file into my local file and restarted Splunk. Fixed the issue.

View solution in original post

Hector_Ramos
Explorer

Yes thanks, I was the one who also posted on GitHub. This was the fix!

0 Karma

scannon4
Communicator

I will post what I did to fix the event details not showing up at the bottom in Incident Posture. Maybe this will be the fix for your issue. When we upgraded alert_manager to the latest version, we apparently made some changes that created a local incident_posture.xml under /opt/splunk/etc/apps/alert_manager/local/data/ui/views. The upgrade did not update that file. I found that in that xml file that the section has a search under it. That search did NOT match the same search in the updated security_posture.xml that is under default/data/ui/views/. I copied the updated search from the new default file into my local file and restarted Splunk. Fixed the issue.

Hector_Ramos
Explorer

Thank again, I was also the one who posted n GitHub. This was the fix for me!

0 Karma

scannon4
Communicator

How do you mark an answer AS the answer? Is that something you do?

0 Karma

Hector_Ramos
Explorer

I tried to mark it as the answer but I think that's something that OP has to do unfortunately.

0 Karma

scannon4
Communicator

Excellent I was not sure. 🙂

0 Karma

scannon4
Communicator

Are you taking about when you expand an alert in the table at the bottom? Is that blank?
Also is this not working after an upgrade?

0 Karma

Hector_Ramos
Explorer

I'm having this issue as well with version 2.2.2. Hope someone posts an answer soon!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...