Alert Action Setup
AME Events are created through Splunk Alert Actions. Follow the step-by-step guide for configuration.
Step-by-Step
To create an AME Event from a Splunk Alert, follow these steps.
1. Create a template on the Template Manager page
Open up the template manager and press the (+) button to add a new template, unless you already have a template you can reuse.
For more details on how to create a template, see Template Manager
This action requires power privilege for the tenant that you select.
2. Save search as an alert
After creating the template, you can navigate to the search view, run a search, and save the search as an alert.
It is recommended to use, e.g., the table or fields search command to limit the number of fields stored within an event.
3. Complete save as alert form
Real-time searches are supported but strongly advised against for performance reasons.
4. Select 'Create Alert Manager Enterprise Event'
5. Complete AME form
- Title: The dynamic title for events created. The title field supports any
field within the search results. Use following format for referencing values:
$result.field$ - Template: The template created previously.
Setting the Trigger to "Once per Result" and adding at least one result field to the title is highly recommended. This way, a separate event with a unique title will be created for every result row.
6. Press 'Save'
Be sure that the user under which the alert runs has the appropriate AME power user role assigned to create events in the specified tenant.