Hi  Everyone,

I have one requirement .

I am creating Incidents from splunk.

Below is my search query:

index=abc  ns=blazepsfpublish ("NullPointerException" OR "IllegalStateException" OR "RuntimeException" OR "NumberFormatException" OR "NoSuchMethodException" OR "ClassCastException" OR "ParseException" OR "InvocationTargetException" OR "OutOfMemoryError")| rex "message=(?<ExceptionMessage>[^\n]+)"|eval _time = strftime(_time,"%Y-%m-%d %H:%M:%S.%3N")|cluster showcount=t t=0.9|table app_name, ExceptionMessage,cluster_count,_time, environment, pod_name,ns|dedup ExceptionMessage,pod_name|rename app_name as APP_NAME, _time as Time, environment as Environment, pod_name as Pod_Name,cluster_count as Count

while creating Incident through Sahara I am putting this in my $result.table$.

but I ma getting incident like this:

actual_reporter_group: GL
origin_source: splunk
monitor_source: Splunk COE
pipeline_source: Sahara, packet_id: a72f20ac-51b6-42b2-96de-e99b00a0daa4
time_stamp: 2021-03-31T06:30:36.0316552Z
sahara_severity: Minor
enriched_workgroups: GL
incident_key: item.source=Splunk COE;item.ticketingKey=Splunk-SAHARA-Forwarder-Alert-Action :: Incident Testing Alert :: E3 :: splunk ::

can someone guide me why I am not getting proper data.

What should I enter in uniqueID to get the proper data.

Thanks in advance