By default, the calculation uses the matrix below: Impact The incident's priority is calculated using the alert's impact and urgency setting. Incidents can be filtered on the Incident Posture. Incident Tagsįor more complex environments, incidents can be tagged with an arbitrary number of tags. There are two attributes can be used: category and subcategory. Categorization can be used to filter incidents on the Incident Posture dashboard and run category statistics. Incident CategorizationĬategorization is used to group incidents. Incident Settings are additional parameters which can be changed even after an Incident has been created. These options apply to the actual incident being created when an alert fires.įor a user to able to send alerts to Alert Manager, the alert_manager needs to be assigned. It provides some options to customize the behaviour. The "alert_manager" Alert Action basically enables a Scheduled Search (Alert) to use the Alert Manager functionalities. Incidents are stored with metadata such as alert_time, job_id, owner, status, priority, ttl, etc. The data is stored in a KV store and some metadata is enriched using lookup tables (for dynamic customizations). The term Incident is used for enriched metadata around the alert. Alert metadata is indexed by default into an index named alerts (if not changed during setup). The term Alert is used for alerts triggered by a Splunk scheduled search. It is important, to distinguish between the terms alerts and incidents. Pre-existing Alert Scripts still be used by configuring it with another alert action. The app was designed to easily integrate into existing environments by just enabling the Customer Alert Action shipped with the app to your alerts that should be managed and adding the alert_manager role to the users that use the app or send alerts to the app. Instead of just doing a "fire and forget" action on the alert, the Alert Manager will store the state of an alert as an incident in a KV store. The Alert Manager is built on top of Splunk's core alerting functionality, utilizing its main functionality. He can be also used to replace existing workflow solutions (eg. The the Alert Manager App's main purpose is to extend Splunk's core alerting functionality with sophisticated incident workflows and reporting.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
January 2023
Categories |