Solved: Alert Manager App - How to create a incident per r...

peterschloenske · ‎03-07-2021

Hi,

I'm trying to create an incident within the Alert Manager App per result row of the generating search.
Let's say I have a search "Failed transactions by host". The result table looks like this:

_time	host	failed_transactions
2021-03-07 12:55:01	host_a	100
2021-03-07 12:55:01	host_b	200

It is easy to create an incident for "failed transactions" in general. But I would like to create incidents per host, that can be tracked individually. I tried to achieve it by using $result.host$ as the title, but this did not work.

Does anyone know whether this is possible?

peterschloenske · ‎03-08-2021

I did not recognize that I saved it as report instead as an alert. As an alert, I can set "trigger for each result" to get it work

View solution in original post

peterschloenske · ‎03-08-2021

I did not recognize that I saved it as report instead as an alert. As an alert, I can set "trigger for each result" to get it work

Alert Manager App - How to create a incident per result (row)

alert action

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Are you a member of the Splunk Community?

Alert Manager App - How to create a incident per result (row)

alert action

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?