All Apps and Add-ons

What roles or capabilities are needed that Alerts will display in Incident Posture?

Panssa
New Member

I have users with user and alert_manager role.
They have capabilities:
accelerate_search
change_own_password
edit_tcp
embed_report
get_metadata
get_typeahead
input_file
list_inputs
output_file
pattern_detect
request_remote_tok
rest_apps_view
rest_properties_get
rest_properties_set
schedule_rtsearch
schedule_search
search

but if they make alerts with actions: Send email, Add to Triggered Alerts and Alert Manager, only Send email and Add to Triggered Alerts works. Alert Manager dont display Alert. But if I add capability: admin_all_objects Alert displays in Incident Posture.
I dont't want to grant that capability, is there some other way?

Tags (1)
0 Karma
1 Solution

Simon
Contributor

Hi Panssa
Unfortunately by today, it only works granting admin_all_objects to a user to make the Alert Manager work. We are working on a solution in order to solve this issue.

Update:
As a workaround, create a user just for scheduling the alerts and assign the saved searches (alerts) to this user having admin_all_objects. Viewers only of the alert manager don't need to have "admin_all_objects".

Sorry for not having better news,
Simon

View solution in original post

0 Karma

Simon
Contributor

Hi Panssa

I've got an update for you. I've figured out to schedule an alert as non-admin and having incidents created.
The minimum of required capabilities (besides everything from the 'user' role) are:

edit_tcp
list_settings
schedule_search

  • edit_tcp: To ingest data back to Splunk (writing to 'alerts' index)
  • list_settings: To read mailserver settings so send customized e-mail notifications
  • schedule_search: To save a search as an alert

Within the next release (no ETA yet) of the Alert Manager, the 'alert_manager' role will contain those capabilities.

Also it requires a slight modification to a python library in the Alert Manager (NotificationHandler.py), see latest commit at github:
https://github.com/simcen/alert_manager/commit/e975ee4fdf38eea4584a7110c9735af297c0c253
You can download the latest version of the file (https://raw.githubusercontent.com/simcen/alert_manager/e975ee4fdf38eea4584a7110c9735af297c0c253/bin/...) and replace it in $SPLUNK_HOME/etc/apps/alert_manager/bin/lib/NotificationHandler.py

Let me know if you have any questions.
Thanks,
Simon

0 Karma

Simon
Contributor

Hi Panssa
Unfortunately by today, it only works granting admin_all_objects to a user to make the Alert Manager work. We are working on a solution in order to solve this issue.

Update:
As a workaround, create a user just for scheduling the alerts and assign the saved searches (alerts) to this user having admin_all_objects. Viewers only of the alert manager don't need to have "admin_all_objects".

Sorry for not having better news,
Simon

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...