All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Alert Manager: Why are no alerts showing up in a cloned Incident Posture dashboard?

Moonveil
Explorer
‎10-17-2016 10:46 AM

Hello,

I wanted to play around with Incident Posture without modifying the original, so I created a clone of the dashboard. However, I am having issues getting the alerts to display properly in the clone. The alerts show up just fine in the original incident posture dashboard, and I haven't made any code modifications in the clone, so I'm not sure why that is.

I can only see the top half in the cloned dashboard, (the part with trending information and the dropdowns/filters for "Recent Incidents"), but the alerts that should show up in the bottom half is just blank. I don't see any errors printed in the console, and if I select "Edit Panels" and look at the search string, it is exactly the same as the one in the original.

Is there something hardcoded in the javascript files that I need to change in order for the alerts to be populated in cloned dashboards? Any help on this matter is greatly appreciated.

Thank you.

Reply
1 Solution
Solved! Jump to solution
Solution

Moonveil
Explorer
‎10-17-2016 11:39 AM

To answer my own question, the issue is caused by the "Incident ID", "Title", and "Freeform Filter" fields. After checking Activity > Jobs, it looks like in the original dashboard, the token values are applied automatically when the search is run, so you'll see the alerts even if you leave those three fields blank. However, this is not the case for cloned dashboards.

To get the alerts to show up, just set * as the default value for those three fields, or type it in manually and the alerts should display properly.

View solution in original post

Reply
Solved! Jump to solution
Solution

Moonveil
Explorer
‎10-17-2016 11:39 AM

To answer my own question, the issue is caused by the "Incident ID", "Title", and "Freeform Filter" fields. After checking Activity > Jobs, it looks like in the original dashboard, the token values are applied automatically when the search is run, so you'll see the alerts even if you leave those three fields blank. However, this is not the case for cloned dashboards.

To get the alerts to show up, just set * as the default value for those three fields, or type it in manually and the alerts should display properly.

Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...