I am using the Alert Manager app v2.0 on Splunk 6.3. I cannot get it to show any alerts on the Incident Posture screen. I also see "no records" trying to use the pivot screen, but when I do a simple search on index=alerts , I see records. I also see "incident created" messages in the log files, but nothing seems to show up on any of the screens for the Alert Manager application. I see in the logs that it is creating incidents and that it is then firing off the incident_created event. I see in the alert-handler log that it is firing for event=incident_created. And when I search index=alerts , I see records which seem to indicate incidents are getting created, but the Incident Posture screen is empty and I can't seem to pull anything up.
There are two other clues to this .... first is that on the Incident Posture screen, I don't see the colored squares with numbers in them (which is what the doc shows and what I used to see in the old version, which also wasn't getting incidents in). Instead I see "N/A" in those five areas below the time-range picker and above the Recent Incidents and selection criteria (Recent Incidents is blank). The second clue is that when I go to the Pivot within Alert Manager, I see a message which says Eventtype 'incident_change' does not exist or is disabled. I also see "Eventtype 'alert_metadata' does not exist or is disabled. " when I choose All Alerts.
Is there anybody who can assist with this?
... View more