HoorayJorge
commented
4 years ago I'm having the same issue on Splunk 8.03, TA 2.2.1 and App 2.3
Open ghost opened 5 years ago
HoorayJorge
commented
4 years ago I'm having the same issue on Splunk 8.03, TA 2.2.1 and App 2.3
my2ndhead
commented
4 years ago Can you check if the alert_status lookup has entries? E.g. run following search within the alert_manager app
| inputlookup alert_status
I've seen issues when the migration script hasn't correctly run and it hasn't populated the lookup. You can re-enable the script in local/inputs.conf.
For the upcoming release 3.0.0 (Python 3.7) I have fixed a few issues regarding alert status.
HoorayJorge
commented
4 years ago Alert_status.csv appears populated
I'm also having an issue where incident_results isn't populating regularly. Perhaps these issues are related?
Thanks for getting back to me.
my2ndhead
commented
4 years ago It's not alert_status.csv that has to be populated.
Did you run the inputlookup command? What does it five back?
Can you open the Browser Developer Tools Console to check if you can see if it throws some errors?
incident_results is not related to this problem.
HoorayJorge
commented
4 years ago You're right. Alert_status didn't build correctly (there were input type errors in the "hidden" column. Thanks for the support.
The incident_results issue was due to '.' characters in the field names.
When editing an incident, under the Incident Workflow, the 'Status:' dropdown is greyed out. The user's populated under Settings>Users Settings are showing as type 'builtin' and the active user directory is set to 'both'. All users have the roles alert_manager, alert_manager_user. I reviewed all lookups (using the Lookup editor app), ensure all users have the alert manager roles as well as following a similiar issue, though this wasnt a migration it was a fresh install on a new Splunk instance - https://github.com/simcen/alert_manager/issues/211
Splunk: 7.1.1, Alert Manager: 2.2.2, Alert Manager Add-On: 2.2.0