For some reasons details from incidents in "Incident Posture" are not available.
I have seen that the lookup is perfomed thanks to "| loadincidentresults incident_id".
I have modify the python script to include additional login and I can confirm that:
- The command is called correctly with the incident id argument
- The server response is just empty -> 
I tried to replay the command using curl and got the same results -> 
It just looks like the addition of the incident information in the dedicated KVStore never happens...
This is partially confirmed by the fact that this:
log.info("Results for incidentid=%s written to collection." % (incidentid))
Never happens in any logs.
splunk@splunk01:/opt/splunk/var/log/splunk$ grep "written to collect" alert*
We also tried to search in the logs for the incident id itself and founded that but no entries related to kvstore:
alertmanagereventhandler.log:2018-05-22 14:51:26,741 INFO pid="24547" logger="alertmanagereventhandler" message="event=incident_created
Any help would be much appreciated as without being able to drilldown on details make the application not usable...