- Splunk Answers
- :
- Splunk Premium Solutions
- :
- Security Premium Solutions
- :
- Splunk Enterprise Security
- :
- Splunk Enterprise Security: is there a way to noti...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is there any way to notify someone that an incident has been assigned to them?
For my in incident review process, I have some regular users that check the dashboard everyday. I have a couple users that only periodically get a notable event assigned. They'd like to receive emails when a notable event is assigned.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This search solves the issue. As a note, you have to create an alert per Splunk user.
| `incident_review` | where owner_realname="John Doe" AND owner_realname != reviewer_realname AND _time>=relative_time(now(),"-20m") AND _time<now() | fields rule_name, urgency, status_label, owner_realname, reviewer_realname | rename rule_name as "Rule Name", urgency as Urgency, status_label as Status, owner_realname as Assignee, reviewer_realname as Assigner
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
search typo above, updating for our Splunkers.
| `incident_review` | where owner_realname="GT3 Analyst" AND owner_realname != reviewer_realname AND _time>=relative_time(now(),"-40m") AND _time<now() | fields rule_name, urgency, status_label, owner_realname, reviewer_realname | rename rule_name as "Rule Name", urgency as Urgency, status_label as Status, owner_realname as Assignee, reviewer_realname as Assigner
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This query will also trigger in case of someone other then user add a comment in notable event. Can you suggest any alternatives.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This search solves the issue. As a note, you have to create an alert per Splunk user.
| `incident_review` | where owner_realname="John Doe" AND owner_realname != reviewer_realname AND _time>=relative_time(now(),"-20m") AND _time<now() | fields rule_name, urgency, status_label, owner_realname, reviewer_realname | rename rule_name as "Rule Name", urgency as Urgency, status_label as Status, owner_realname as Assignee, reviewer_realname as Assigner
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @AndySplunks
Are you answering your own question, or just adding additional details to your question? You didn't really explain anything, so it would be great if you could add more context. If this the answer the solved your question, be sure to accept your answer by clicking the "Accept" button to resolve this post.
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Adoption of RUM and APM at Splunk
