All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why would alerts show in "KPI Report - Incident Status" report as long runners, but not show up on incident posture page?

joshua_hart1
Path Finder
‎07-17-2015 09:44 AM

Occasionally, alerts will fire that seem to get stuck and never make it into the Incident Posture dashboard. When I check the Incident Status KPI dashboard, they show up in the Long Runners but searching for the incident id yields no results. Please advise. Thanks!

-Josh

Tags (1)
0 Karma
Reply

my2ndhead
SplunkTrust
SplunkTrust
‎07-26-2015 08:14 AM

I suspect, that some large events created as "index=alerts sourcetype=alert_metadata" may get truncated.

There's a bugfixes version of TA-alert_manager you could try out:

https://github.com/alertmanager/TA-alert_manager/tree/develop

Download as a zip file, and rename the directory to TA-alert_manager

0 Karma
Reply

joshua_hart1
Path Finder
‎07-27-2015 05:35 AM

Thanks, I'll give that a try and report back.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...