Hello,
Please would you be able to help?
The magnifying glass/drill-down for alerts is not working for significant number of alerts. When clicked the magnifying glass next to a particular alert the AWS application is opened with the appropriate time range, however the search part of the URL is missing. Effectively the redirection from the icon is as follows:
splunk_app_aws/search?q=search &earliest=YYYY-MM-DD...&latest=YYYY-MM-DD...
Most of these alerts are based on searches which uses accelerated data models. I have noticed that an alert (in index=alerts) has the attribute eventSearch which does not contain full search query.
Thank you for any suggestions.
I will post what I did to fix the event details not showing up at the bottom in Incident Posture. Maybe this will be the fix for your issue. When we upgraded alert_manager to the latest version, we apparently made some changes that created a local incident_posture.xml under /opt/splunk/etc/apps/alert_manager/local/data/ui/views. The upgrade did not update that file. I found that in that xml file that the section has a search under it. That search did NOT match the same search in the updated security_posture.xml that is under default/data/ui/views/. I copied the updated search from the new default file into my local file and restarted Splunk. Fixed the issue.
Yes thanks, I was the one who also posted on GitHub. This was the fix!
I will post what I did to fix the event details not showing up at the bottom in Incident Posture. Maybe this will be the fix for your issue. When we upgraded alert_manager to the latest version, we apparently made some changes that created a local incident_posture.xml under /opt/splunk/etc/apps/alert_manager/local/data/ui/views. The upgrade did not update that file. I found that in that xml file that the section has a search under it. That search did NOT match the same search in the updated security_posture.xml that is under default/data/ui/views/. I copied the updated search from the new default file into my local file and restarted Splunk. Fixed the issue.
Thank again, I was also the one who posted n GitHub. This was the fix for me!
How do you mark an answer AS the answer? Is that something you do?
I tried to mark it as the answer but I think that's something that OP has to do unfortunately.
Excellent I was not sure. 🙂
Are you taking about when you expand an alert in the table at the bottom? Is that blank?
Also is this not working after an upgrade?
I'm having this issue as well with version 2.2.2. Hope someone posts an answer soon!