All Apps and Add-ons

Alert Manager App: The alerts index has data, by why are no alerts displayed on any dashboards?

rmeyer20
Engager

I am using the Alert Manager app v2.0 on Splunk 6.3. I cannot get it to show any alerts on the Incident Posture screen. I also see "no records" trying to use the pivot screen, but when I do a simple search on index=alerts, I see records. I also see "incident created" messages in the log files, but nothing seems to show up on any of the screens for the Alert Manager application. I see in the logs that it is creating incidents and that it is then firing off the incident_created event. I see in the alert-handler log that it is firing for event=incident_created. And when I search index=alerts, I see records which seem to indicate incidents are getting created, but the Incident Posture screen is empty and I can't seem to pull anything up.

There are two other clues to this .... first is that on the Incident Posture screen, I don't see the colored squares with numbers in them (which is what the doc shows and what I used to see in the old version, which also wasn't getting incidents in). Instead I see "N/A" in those five areas below the time-range picker and above the Recent Incidents and selection criteria (Recent Incidents is blank). The second clue is that when I go to the Pivot within Alert Manager, I see a message which says Eventtype 'incident_change' does not exist or is disabled. I also see "Eventtype 'alert_metadata' does not exist or is disabled. " when I choose All Alerts.

Is there anybody who can assist with this?

0 Karma
1 Solution

rmeyer20
Engager

I was able to answer my own question with this. I had upgraded the Alert Manager app from v1.1 to 2.0. I chose the "upgrade" process from the web UI to perform the app upgrade. I think it left some bad conf files in the local directory of the app. Also, there is a part of the install which had not completed properly, which was the add-on for TA-alert_manager-master files, which are a set of conf files which go on the indexers. So basically, I completely removed what was there for the app. I installed the master files on the indexers, and installed the alert_manager app on the search head, and all issues went away.

View solution in original post

0 Karma

rmeyer20
Engager

I was able to answer my own question with this. I had upgraded the Alert Manager app from v1.1 to 2.0. I chose the "upgrade" process from the web UI to perform the app upgrade. I think it left some bad conf files in the local directory of the app. Also, there is a part of the install which had not completed properly, which was the add-on for TA-alert_manager-master files, which are a set of conf files which go on the indexers. So basically, I completely removed what was there for the app. I installed the master files on the indexers, and installed the alert_manager app on the search head, and all issues went away.

0 Karma

bluemarvel
Path Finder

what are the master files you are referring to

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...