Hi, again.
I do not see fields that I set on in tab "Incident Settings".
http://prntscr.com/j9lasr
http://prntscr.com/j9lbcc
Or where I can see that?
And not working Alert Results in tab "Incident Posture"
http://prntscr.com/j9l6xe
What do I have to see there?
I know this is an old post, but I was having the same issue and came to realize that the app context and resulting permissions of the alert I had created was not allowing the alert_manager app to read the search results.
It would insert the "incident" just fine, but never show me fields from the incident result (by default it should display them all).
Once I cloned the alert to the alert_manager app context and made sure it was shared within the app, it worked great.
Check that "Save incident results to KVStore" is enabled under Settings -> Global Settings
BUMP! UP! 🙂
What app version you are using?
Alert Manager 2.2.2
Splunk 7.0.3