All Apps and Add-ons

Alert Manager: How to retrieve an incident_id and a field from within that incident id from a search or api query

redacted
Explorer

I am looking to perform a rest lookup of an Alert Manager Incident ID and retrieve the fields that are included in the incident from the original alert. I can see these in the "Details" section of the alert when expanded showing as "Key" and "Value" I assume these are in the KV store somewhere, but I cannot seem to find them.

I can see the incident_id and actions performed against it in the "alerts" index, but I do not see any of fields that are put into the incident from the initial search/alert.

The fields I want are available in the initial index and the incident actions and notes are in the "alerts" index, is there any way to search and correlate the two?

Thanks

0 Karma
1 Solution

lweber
Path Finder

there are a few collections created by the Alert Manager, this could be the one you're looking for:
https://localhost:8089/servicesNS/nobody/alert_manager/storage/collections/data/incident_results

View solution in original post

lweber
Path Finder

there are a few collections created by the Alert Manager, this could be the one you're looking for:
https://localhost:8089/servicesNS/nobody/alert_manager/storage/collections/data/incident_results

redacted
Explorer

Thanks! that is almost what I was looking for, unfortunately these fields are still not listed in that data.

I was playing around with the app and if you paste the field you are looking for manually into the "comments" field alert manager will include that under the "notes" field in the "alerts" index and you can correlate all incident_id to the "notes" field

It is a horrible human hack, so I am hoping there is something I am missing somewhere.

0 Karma

redacted
Explorer

i took a look further through the data from that url and low and behold there was the data!!

Thanks Iweber!!

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...