-
Notifications
You must be signed in to change notification settings - Fork 44
Configuration Guide
The Alert Manager-App's main purpose is to extend Splunk's core alerting functionality with sophisticated incident workflows and reporting.
Alert Manager can be also used to replace existing workflow solutions (eg. Incident Review in Enterprise Security).
Alert Manager is built on top of Splunk's core alerting functionality, utilizing its main functionality. Instead of just doing a "fire and forget" action on the alert, Alert Manager will store the state of an alert as an incident in a KV store.
Alert Manager was designed to easily integrate into existing environments by just adding a Alert Script to alerts that should be managed. Existing Alert Scripts can be integrated by Alert Manager's pass-through capability.
It is important, to distinguish between the terms alerts and incidents.
The term alert is used for alerts triggered by a Splunk scheduled search. Alert metadata is indexed by default into an index named alerts.
The term incident is used for enriched metadata around the alert. The data is stored in a KV store and some metadata is enriched using lookup tables (for dynamic customizations).
Incidents are stored with metadata such as alert_time, job_id, owner, status, priority, ttl, etc.