We're getting closer. The good message is: The alert handler is working fine. I think the issue is somewhere around the datamodel or the macro.
Once again, please give a try with these queries and let me know what they return:
Tstats search:
| tstats values(all_alerts.alert) as alert, values(all_alerts.app) as app, values(all_alerts.event_search) as event_search, values(all_alerts.search) as search, values(all_alerts.impact) as impact, values(all_alerts.earliest) as earliest, values(all_alerts.latest) as latest, count from datamodel="alert_manager" where nodename="all_alerts" by all_alerts.job_id, all_alerts.incident_id, all_alerts.result_id, _time | search all_alerts.incident_id="8b82d86a-b742-4f61-8f95-9c312015d2f4"
Pivot search:
| pivot alert_manager all_alerts count(all_alerts) AS "count" FILTER incident_id is "8b82d86a-b742-4f61-8f95-9c312015d2f4"
Eventtype search:
eventtype="alert_metadata" incident_id="8b82d86a-b742-4f61-8f95-9c312015d2f4" | table app, earliest, eventSearch, impact, incident_id, job_id, latest, name, owner, result_id, ttl, urgency
... View more