Event Summary Overview
The Event Summary Page is the entry point for managing all events.
In Alert Manager Enterprise, the term Event describes a Splunk Alert managed by the AME App. Note that a Splunk Alert that matches the same title can be appended to an existing AME Event. See the Alert Action Setup to find out more about how Events are created and updated.
AME supports the Splunk Dark UI theme. Dark mode can be enabled by
configuring the theme in the Splunk User Preferences.
Single Value Indicators
On the top of the Events Summary, single values indicators show the number of events over the selected time range split by priority. A trend timeline is shown below the number.
The Single Value Indicators can be hidden/shown by pressing the following buttons:
| Button | Function |
|---|---|
 | Show Single Values |
 | Hide Single Values |
Event Timeline
The Event Timeline can be shown below the Single Value Indicators. The timeline shows the selected time range and is split by priority.
The Event Timeline can be hidden/shown by pressing the following buttons:
| Button | Function |
|---|---|
 | Show Event Timeline |
 | Hide Event Timeline |
About Priorities
Priorities are calculated by using the Alert's urgency and impact settings:
| Impact | Urgency | Priority |
|---|---|---|
| low | low | informational |
| low | medium | low |
| low | high | medium |
| medium | low | low |
| medium | medium | medium |
| medium | high | high |
| high | low | medium |
| high | medium | high |
| high | high | critical |
Event Table
The Event Table shows the following essential information:
- Title
- Tenant
- Status
- Priority
- Assignee
To copy the title click on the Copy Title button.
| Button | Function |
|---|---|
 | Copy Title |
Quick Actions are available to change Event attributes or execute further actions by clicking the following buttons:
| Button | Function |
|---|---|
 | Change Assignee |
 | Change Status |
 | Actions |
The Actions Menu allows further actions:
- Edit Tags
- Adjust the Notification Scheme
- Adjust the Urgency
- Add a Resolution
- Delete the event
- Display Action Fields
- Run a Drilldown Search to find the origin Splunk Search that created the event
For further details on how to work with Events, see the Working with Events chapter.
Event Details
To open the Event Details, click on a single event in the accordion table.
On the top of the Event Details, the following information is available:
- Event ID
- Notification Scheme
- Count (the number of grouped events with the same title)
- Tags
- First Seen (the timestamp of the first event in grouped events with the same title)
- Action Fields
Further down, a list of tabs contains more information:
- Notable fields
- Data
- History
- Comments
Event Details Tab Ordering
The tab order can be changed under the tenant configuration:
This feature requires an AME subscription.
Compact/Expanded View
The default, or compact view, only shows a limited set of information. It has to be opened to see all the details of an event. Using the expanded view it is possible to display selected attributes for the event.
Use the following button to switch between the compact and expanded view:
| Button | Function |
|---|---|
 | Compact View |
 | Expanded View |
Configuring the Expanded View
The Expanded View can be configured on the Tenant Configuration Page.
Following type of attributes can be shown:
- Tags
- Notable Fields
For Notable Fields, it is possible to switch between tooltips and key/value presentation.
Notable Fields to be shown under the Expanded View can be added an ordered:
Event Fields to be shown under the Expanded View can be added and ordered. The Add dropdown shows all available fields.
Displaying notables and tabs and changing/ordering Notable/Event-Fields require an AME subscription.
Filters
Events displayed in the summary can be filtered. Use the following buttons to change the filter:
| Button | Function |
|---|---|
 | Open filter |
 | Reset filter |
The Filters will open up on the right side:
Currently, the following filters are available:
- Time (Default: Last 7 days)
- Tenant
- Title
- Assignee
- Priority
- Tags
- Status
- Resolution
- Search
- Saved Search
Filtering by search
The Search field allows filtering events. The filter uses Splunk syntax and supports the following filters:
event_keyevent_titlefields.field_name- free text
Applying the filter
Pressing the Apply Filter button or entering CTRL-ENTER will apply the filter.
Examples
vulnerability fields.dvc="host-1" OR fields.dvc="host-2"
event_title="Disk Usage*" OR event_title="High Memory*" fields.dvc="server-*"
Saved Filters
Pressing the Save current filter button will open a modal to save the filter.
A saved filter can be selected by using the dropdown left to the "Save current filter` dropdown.
When a filter is selected, it can be updated, renamed, or deleted.
Saved Filters require an AME subscription.
Refresh Interval
The refresh interval of the Event Summary can be turned on or off and set to a specific value. by pressing the following button:
| Button | Function |
|---|---|
 | Refresh Interval |
Following Options are available:
- No Refresh
- 1 Minute
- 5 Minutes
- 15 Minutes
- 30 Minutes
- 1 Hour
Footer
The footer shows information, the absolute time range selected by the filer/time range picker, how many events have been found, and the last reload of the data.
The footer can be hidden/shown by pressing the following buttons:
| Button | Function |
|---|---|
 | Hide footer |
 | Show footer |