Re: AME not showing alerts in app

HopyardMiner · ‎06-06-2025

I have successfully setup AME and tested the tenant connection and get back connector is healthy. I can also send test event from the tenant setup page and can see it in the default index. If I go to events there is not test not any of the alerts I have configured to send to AME even though I can see them in the traditional triggered alerts as they are still configured as well. Looking in _internal I do see the below error:

2025-06-06T11:24:06.612+00:00 version=3.4.0 log_level=ERROR pid=1615220 s=AbstractHECWrapper.py:send_chunk:304 uuid=***************** action=sending_event reason="[Errno 111] Connection refused"

Seems to suggest there is an issue with HEC, but the tenant shows green/healthy and the test comes to the index. Any assistance would be appreaciated.

Also, if I create an event from the Events page, that does show up in the app:

seiimonn · ‎06-07-2025

Hi!

If the logs produced by AME can not be sent to the index, you will not get any alert data when expanding events.

It would be easiest if you could open a support case in our support portal and provide the output of the following search as a CSV export.

index=_internal source=*ame* ERROR | table _time host source _raw

Regards,
Simon

HopyardMiner · ‎06-06-2025

Seeing events now. The default template needed a notification assigned and that notification needed to be defined as there was none. The error mentioned above is still showing but am not sure if it is causing any seen issues.

AME not showing alerts in app

other

troubleshooting

September Community Champions: A Shoutout to Our Contributors!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Are you a member of the Splunk Community?