All Apps and Add-ons

What roles or capabilities are needed that Alerts will display in Incident Posture?

Panssa
New Member

I have users with user and alert_manager role.
They have capabilities:
accelerate_search
change_own_password
edit_tcp
embed_report
get_metadata
get_typeahead
input_file
list_inputs
output_file
pattern_detect
request_remote_tok
rest_apps_view
rest_properties_get
rest_properties_set
schedule_rtsearch
schedule_search
search

but if they make alerts with actions: Send email, Add to Triggered Alerts and Alert Manager, only Send email and Add to Triggered Alerts works. Alert Manager dont display Alert. But if I add capability: admin_all_objects Alert displays in Incident Posture.
I dont't want to grant that capability, is there some other way?

Tags (1)
0 Karma
1 Solution

Simon
Contributor

Hi Panssa
Unfortunately by today, it only works granting admin_all_objects to a user to make the Alert Manager work. We are working on a solution in order to solve this issue.

Update:
As a workaround, create a user just for scheduling the alerts and assign the saved searches (alerts) to this user having admin_all_objects. Viewers only of the alert manager don't need to have "admin_all_objects".

Sorry for not having better news,
Simon

View solution in original post

0 Karma

Simon
Contributor

Hi Panssa

I've got an update for you. I've figured out to schedule an alert as non-admin and having incidents created.
The minimum of required capabilities (besides everything from the 'user' role) are:

edit_tcp
list_settings
schedule_search

  • edit_tcp: To ingest data back to Splunk (writing to 'alerts' index)
  • list_settings: To read mailserver settings so send customized e-mail notifications
  • schedule_search: To save a search as an alert

Within the next release (no ETA yet) of the Alert Manager, the 'alert_manager' role will contain those capabilities.

Also it requires a slight modification to a python library in the Alert Manager (NotificationHandler.py), see latest commit at github:
https://github.com/simcen/alert_manager/commit/e975ee4fdf38eea4584a7110c9735af297c0c253
You can download the latest version of the file (https://raw.githubusercontent.com/simcen/alert_manager/e975ee4fdf38eea4584a7110c9735af297c0c253/bin/...) and replace it in $SPLUNK_HOME/etc/apps/alert_manager/bin/lib/NotificationHandler.py

Let me know if you have any questions.
Thanks,
Simon

0 Karma

Simon
Contributor

Hi Panssa
Unfortunately by today, it only works granting admin_all_objects to a user to make the Alert Manager work. We are working on a solution in order to solve this issue.

Update:
As a workaround, create a user just for scheduling the alerts and assign the saved searches (alerts) to this user having admin_all_objects. Viewers only of the alert manager don't need to have "admin_all_objects".

Sorry for not having better news,
Simon

0 Karma
Get Updates on the Splunk Community!

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

Cisco Use Cases, ITSI Best Practices, and More New Articles from Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...