Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Alert manager enterprise - Creation of events in index

MCH2018
Explorer
‎11-14-2023 02:51 AM

Hello everyone,

I am encountering an issue with the Alert Manager Enterprise application; following the triggering of an alert, no event is created in my dedicated index. The status of the health check is okay, and we are able to create test events:

MCH2018_1-1699959010947.png

 


 Another point to note is that in the application's troubleshooting logs, when an alert is triggered, the event creation occurs but nothing is created in the index:

MCH2018_2-1699959028621.png

There are no permission issues, as I have confirmed by manually writing a search that we can create events in the index:

| makeresults | eval user="TEST", src="192.168.0.1", action="create test event" | sendalert create_alert param.title="Hello $result.user$" param.template=default

This successfully creates my event in my index. I have exhausted my troubleshooting ideas, do you have any suggestions on how to resolve this issue?

Thank you for your help.

MCH

Labels (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Datapunctum
Engager
‎11-14-2023 08:28 AM

Hi

There's a documentation bug for 2.0.0 as the tenant_uid has to be specified now.

The correct search would be:

| makeresults | eval user="World", src="192.168.0.1", action="create test event" | sendalert create_alert param.title="Hello $result.user$" param.template=default param.tenant_uid=default

 Hope this helps!

 

View solution in original post

Reply
Solved! Jump to solution
Solution

Datapunctum
Engager
‎11-14-2023 08:28 AM

Hi

There's a documentation bug for 2.0.0 as the tenant_uid has to be specified now.

The correct search would be:

| makeresults | eval user="World", src="192.168.0.1", action="create test event" | sendalert create_alert param.title="Hello $result.user$" param.template=default param.tenant_uid=default

 Hope this helps!

 

Reply
Solved! Jump to solution

MCH2018
Explorer
‎11-15-2023 09:23 AM

Hello

Thank you, that indeed solved my issue. I also noticed that there are some screenshots in your documentation that are not up to date. It would be worth updating it for other users.

Thanks again for your response!

0 Karma
Reply
Solved! Jump to solution

_JP
Contributor
‎11-14-2023 08:10 AM

I don't have your answer...but it might be helpful to cross-post your question here:

Alert Manager Enterprise - Splunk Community

 

That is the "place" where questions about the Alert Manager Enterprise app on Splunkbase would go now, but I don't think there is any way to link this post with app right now.

Also, the folks at Datapunctum AG might have their eyes on that area for there app, and not here, for answering any questions.  

I'm going to tag one person I know at Datapunctum that I think worked on this app:  @my2ndhead 

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...