Working with Events
This chapter explains how to work with Events.
Assign an event
To assign an event to a user, click the assignee button on the right side of the summary panel and select the user to set.
If the Full Name
for the user has been set, it will be shown in the dropdown, and as a tooltip under the Assignee
column.
Only if a user belongs to a tenant (has the tenant's power user role) will this user be shown as an option.
Update the notification scheme
To update an event's notification scheme, click the notifications button on the right side of the summary panel and select the scheme that should be applied if the event changes its status.
Only if the tenant of the notification scheme is accessible will this scheme be shown to the current power user.
Update the status
To update the status of an event, click the status button on the right side of the summary panel and select the destination status.
:::info Changing the status may trigger a notification if defined in the notification scheme. :::
Write a comment if the status update requires an explanation.
Comments will be indexed as an ame-audit-record and will be quoted in the notifications.
Update the urgency
To update the urgency of an event, click the urgency button on the right side of the summary panel and select the urgency option that should be set for the event.
Priority updates will create an ame-audit-record and may trigger notifications.
Re-run original search
To re-run the event's original search, click the search button on the right side of the summary panel.
The results may not be visible if the current user cannot access the original index.
Update several events at the same time
Use the following buttons to select/unselect events:
Button | Function |
---|---|
Edit/Delete | |
Reset Selection |
To update several events at once:
Select the events to update by clicking the checkbox to the right of the events, then press the Edit/Delete button to open a menu:
Select from the Edit/Delete options which events should be changed or commented.
The number of affected events by tenants will be shown on top. Validate the number and then change all attributes. Optionally, add a comment, or select the Comment Option if you just want to bulk comment events.
Only if a user belongs to a tenant will this user be assigned to the event. Assignments for users outside a tenant are skipped.
Editing Event Tags
To edit event tags:
Select Edit Tags from the Action Menu
Select or deselect all tags that apply to the event and optionally add a comment.
Click on the tag button to check if the tag is correct or delete it by clicking the bin icon on the top right side of the tag description.
Add a comment to an event
To add a comment to an event, expand the event and open the comments tab.
Use the following buttons to edit, preview, or save the comment:
Button | Function |
---|---|
Edit raw text | |
Preview formatted text | |
Save comment |
Comments support markdown format. Use the preview button to show the formatted comment.
Press enter for a new line and ctrl-enter or the Save comment
button to save the comment. The comment will be shown once it is indexed.
Once a comment is entered, it will be indexed and can't be changed.
Invoke a Workflow Action
To invoke a Splunk Workflow Action on an event result, expand the event.
Use the following button to run a Workflow Action:
Button | Function |
---|---|
Run Workflow Action |
The Workflow Action will be available if all mandatory fields are available. The Workflow Action can be found under the Notable Fields and Data Tab.
Workflow Action under Notable Fields Tab:
Workflow Action under Data Tab:
Click on the Workflow Action button, and choose the action you would like to execute.
AME ignores the Show action in
setting and applies all matching Workflow Actions.
On Splunk Cloud, only Workflow Actions that use the HTTPS scheme will be allowed. Workflow Actions with non-encrypted traffic (HTTP) will be filtered.
Examples
Example: Webhook Workflow Action
Following is an example of a Workflow action that triggers the built-in Splunk Webhook Action manually.
The search uses makeresults
and eval
to pass the tenant's name
ame.tenant_name
and a result-field action
to the send alert command.
Depending on the alert action, various parameters can be set. In this case,
the destination web server URL is specified.
Full search command:
| makeresults 1
| eval action=$action$, ame_tenant="$ame.tenant_name$"
| sendalert webhook param.url="https://webserver:10000
When running the workflow action from the AME dropdown, the web server will receive a request as follows:
POST / HTTP/1.1
Accept-Encoding: identity
Content-Length: 226
Host: localhost:10000
Content-Type: application/json
User-Agent: Splunk/D1F702EF-402A-4659-A582-C88B3D7380EC
Connection: close
{"sid": "1679403559.11097", "search_name":" ", "app": "search", "owner": "admin", "results_link": "https://<mysplunkserver>:8000/app/search/@go?sid=1679403559.11097", "result": {"_time": "1679403559", "ame_tenant": "Default Tenant"}
Filtering Workflow Actions
Workflow Actions are shown in AME when all fields in the
Apply only to the following fields
settings that match.
The list of Workflow Actions can become very long, and not all actions are helpful
for an event.
It is possible to filter Workflow Actions further down using the name of the saved search, or by template.
The following attributes can be set in workflow_actions.conf
:
[<workflowaction>]
ame_templates = [template_name|template_uid](,[template_name|template_uid])+
ame_savedsearches = savedsearch_name(,savedsearch_name)+
Examples
Example: Show workflowaction1 only to the `mytest search1` and `mytest search2`
[workflowaction1]
ame_savedsearches = "mytest search1", "mytest search2"
Example: Hide `workflowaction2` for all events
[workflowaction2]
ame_template = ThisTemplateDoesNotExist
Manually create an event
Sometimes, it may be necessary to add an event that is not created through a Splunk Alert. The following button on the top left can be used to create an event.
Button | Function |
---|---|
Create Event | |
Test Query |
Clicking the Create Event
button on the top right of the Event Summary opens a Modal.
The following fields are available. Mandatory values are marked with an asterisk (*):
Title
(*): The title of the eventTenant
(*): The destination tenantImpact
(*): The impact of the eventUrgency
(*): The urgency of the eventAssignee
(*): The assignee of the eventStatus
(*): The initial status of the eventNotifications
(*): The notification scheme for the eventTags
: Comma-separated list of tagsNotable Fields
: Comma-separated list of fieldsEarliest
: The earliest time forLatest
: The latest time for the search queryQuery
: The search query used for re-runsFields
: A list of key-value fields
Before creating the event, the search query can be tested by clicking
on the Test Query
Button. This opens the search in a new browser tab.
If everything looks correct, press Submit
to create the event.