Solved: Alert Manager App - How to create a incident per r...

peterschloenske · ‎03-07-2021

Hi,

I'm trying to create an incident within the Alert Manager App per result row of the generating search.
Let's say I have a search "Failed transactions by host". The result table looks like this:

_time	host	failed_transactions
2021-03-07 12:55:01	host_a	100
2021-03-07 12:55:01	host_b	200

It is easy to create an incident for "failed transactions" in general. But I would like to create incidents per host, that can be tracked individually. I tried to achieve it by using $result.host$ as the title, but this did not work.

Does anyone know whether this is possible?

peterschloenske · ‎03-08-2021

I did not recognize that I saved it as report instead as an alert. As an alert, I can set "trigger for each result" to get it work

View solution in original post

peterschloenske · ‎03-08-2021

I did not recognize that I saved it as report instead as an alert. As an alert, I can set "trigger for each result" to get it work

Alert Manager App - How to create a incident per result (row)

alert action

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Join the Conversation