All Apps and Add-ons
Highlighted

|loadincidentresults id return empty

New Member

Hello,
For some reasons details from incidents in "Incident Posture" are not available.

I have seen that the lookup is perfomed thanks to "| loadincidentresults incident_id".
I have modify the python script to include additional login and I can confirm that:
- The command is called correctly with the incident id argument
- The server response is just empty -> []

I tried to replay the command using curl and got the same results -> []

It just looks like the addition of the incident information in the dedicated KVStore never happens...
This is partially confirmed by the fact that this:
log.info("Results for incidentid=%s written to collection." % (incidentid))

Never happens in any logs.
splunk@splunk01:/opt/splunk/var/log/splunk$ grep "written to collect" alert*
splunk@splunk01:/opt/splunk/var/log/splunk$

We also tried to search in the logs for the incident id itself and founded that but no entries related to kvstore:
alertmanagereventhandler.log:2018-05-22 14:51:26,741 INFO pid="24547" logger="alertmanagereventhandler" message="event=incident_created

Any help would be much appreciated as without being able to drilldown on details make the application not usable...

Kind regards,

0 Karma
Highlighted

Re: |loadincidentresults id return empty

SplunkTrust
SplunkTrust

Usually the "Save incident results to KVStore" checkbox under Settings -> Global Settings is not enabled.