All Apps and Add-ons

Magnifying glass/drill-down for alerts is not working on Incident Posture in Alert Manager

Path Finder

Hello,

Please would you be able to help?

The magnifying glass/drill-down for alerts is not working for significant number of alerts. When clicked the magnifying glass next to a particular alert the AWS application is opened with the appropriate time range, however the search part of the URL is missing. Effectively the redirection from the icon is as follows:

splunk_app_aws/search?q=search &earliest=YYYY-MM-DD...&latest=YYYY-MM-DD...

Most of these alerts are based on searches which uses accelerated data models. I have noticed that an alert (in index=alerts) has the attribute eventSearch which does not contain full search query.

Thank you for any suggestions.

1 Solution

SplunkTrust
SplunkTrust

I will post what I did to fix the event details not showing up at the bottom in Incident Posture. Maybe this will be the fix for your issue. When we upgraded alertmanager to the latest version, we apparently made some changes that created a local incidentposture.xml under /opt/splunk/etc/apps/alertmanager/local/data/ui/views. The upgrade did not update that file. I found that in that xml file that the section has a search under it. That search did NOT match the same search in the updated securityposture.xml that is under default/data/ui/views/. I copied the updated search from the new default file into my local file and restarted Splunk. Fixed the issue.

View solution in original post

Explorer

Yes thanks, I was the one who also posted on GitHub. This was the fix!

0 Karma

SplunkTrust
SplunkTrust

I will post what I did to fix the event details not showing up at the bottom in Incident Posture. Maybe this will be the fix for your issue. When we upgraded alertmanager to the latest version, we apparently made some changes that created a local incidentposture.xml under /opt/splunk/etc/apps/alertmanager/local/data/ui/views. The upgrade did not update that file. I found that in that xml file that the section has a search under it. That search did NOT match the same search in the updated securityposture.xml that is under default/data/ui/views/. I copied the updated search from the new default file into my local file and restarted Splunk. Fixed the issue.

View solution in original post

Explorer

Thank again, I was also the one who posted n GitHub. This was the fix for me!

0 Karma

SplunkTrust
SplunkTrust

How do you mark an answer AS the answer? Is that something you do?

0 Karma

Explorer

I tried to mark it as the answer but I think that's something that OP has to do unfortunately.

0 Karma

SplunkTrust
SplunkTrust

Excellent I was not sure. 🙂

0 Karma

SplunkTrust
SplunkTrust

Are you taking about when you expand an alert in the table at the bottom? Is that blank?
Also is this not working after an upgrade?

0 Karma

Explorer

I'm having this issue as well with version 2.2.2. Hope someone posts an answer soon!

0 Karma