All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

|loadincidentresults id return empty

droutin
New Member
‎05-22-2018 07:00 AM

Hello,
For some reasons details from incidents in "Incident Posture" are not available.

I have seen that the lookup is perfomed thanks to "| loadincidentresults incident_id".
I have modify the python script to include additional login and I can confirm that:
- The command is called correctly with the incident id argument
- The server response is just empty -> []

I tried to replay the command using curl and got the same results -> []

It just looks like the addition of the incident information in the dedicated KVStore never happens...
This is partially confirmed by the fact that this:
log.info("Results for incident_id=%s written to collection." % (incident_id))

Never happens in any logs.
splunk@splunk01:/opt/splunk/var/log/splunk$ grep "written to collect" alert*
splunk@splunk01:/opt/splunk/var/log/splunk$

We also tried to search in the logs for the incident id itself and founded that but no entries related to kvstore:
alert_manager_eventhandler.log:2018-05-22 14:51:26,741 INFO pid="24547" logger="alert_manager_eventhandler" message="event=incident_created

Any help would be much appreciated as without being able to drilldown on details make the application not usable...

Kind regards,

0 Karma
Reply

my2ndhead
SplunkTrust
SplunkTrust
‎06-01-2018 07:22 AM

Usually the "Save incident results to KVStore" checkbox under Settings -> Global Settings is not enabled.

Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...