Hello, these are the conditions before sending out the notification with the auto-assign user (alert_manager.py): config['auto_assign_owner'] != ''
and config['auto_assign_owner'] != 'unassigned'
and incident_suppressed == False
and is_subsequent_resolved == False
and auto_info_resolved == False
and config['append_incident'] is None the 4th and 5th lines are deprecated so we assume they are ok, the first 2 lines we assume ok as well because you assigned a user; so if the incident is not suppressed, the only one condition left is that you don't append identical incidents to the first one. If that's the case, as it was mine, you must add a variable in the code as a workaround, to keep track of the append configuration and exclude the notification when you are in the events that are being appended and remove the and config['append_incident'] is None condition above, replacing it with something like is_appended == False (otherwise you receive a notification for every appended incident. You must declare and validate the variable in the code where it is checked if there is an incident to append to). I didn't find any other solution at the moment.
... View more
This is confusing because when you Export the report results from the UI, the date format is preserved, but when you let Splunk email it on a schedule, the date format is lost.
It should at least be made consistent... As it stands, it's impossible to test report output without scheduling a report and reviewing the email.
... View more