Pcktech
commented
3 years ago Did you use a custom index (not main, not alerts)? If so, then I recently had this exact problem. You need to create a $SPLUNK_HOME/etc/apps/alert_manager/local/macros.conf file. Copy paste the alert_manager index macro from the /default/macros.conf file to the /local/macros.conf file, and modify it to whatever you'd like, but making sure index=custom-name is there. Then magically (no reboot needed) your data appears.
The UI configuration setup page didn't seem to set this automatically.
Hi,
I have a same issue : https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-get-alerts-in-alertmanager-to-show-as-incidents/td-p/355342
Just can't work out why all the incident numbers are 0, even with the time range set to way back.
I have Splunk 7.3.4 and I installed AlertManager 2.2.0 on my search head (it's splunk POC).
Could you help me, please?
Thanks.