Reference

Introductions

Technologies used by Alert Manager

As described above, the App writes different data and uses the Splunk framework components to provide comfortable end-user functionality.

App Key Value Store
Save and track states of incidents
Store incident defaults and user settings
Store alert results per incident
Splunk REST API
Write events to the index
Add/retrieve data from the App Key Value Store
Manage App configuration
Splunk JS Stack
Extend Splunk dashboards with workflow functionality
Extend and enhance Splunk visualization components (Single value, Tables, ...)
Provide 3rd party visualizations

Custom Search Commands

loadincidentresults

Usage: <your search> | table _time incident_id | loadincidentresults incident_id

Parameters:

incident_id: ID of the incident per search result (Required)

Returns results of incidents from the KV store given a list of incidents having an incident_id field present.

modifyincidents

Usage:

<your search> | table _time incident_id | modifyincidents status=<new status> owner=<new owner> urgency=<new urgency> comment=<comment>

Parameters:

status: New status of the incident(s) (Optional)
status: New owner of the incident(s) (Optional)
urgency: New urgency of the incident(s) (Optional)
comment: Text of the comment to add to the change event (Optional)

Updates incident attributes such as status, owner, urgency and adds a comment, if provided. Requires the field incident_id in the search results. Use any attribute in combination or by oneself.

External Reference ID

The incident collection has an additional column external_reference_id which can be used to store references to other systems. Typically this field is updated by an external process. The value of the field will be displayed in the details section of an incident if it is set.

Screenshot

Reports

Custom Reports

Custom reports can be added to the Reports Menu. To automatically show them the report name should start with the prefix am_report_

Datamodel

tbd

Troubleshooting

tbd