Event Automation
This section explains how Alert Manager Enterprise (AME) automates events through rules and notifications.
The following image illustrates how AME converts Splunk alerts into events that can trigger rules and notifications:
Automation Flow
AME processes events as follows:
- A Splunk alert triggers, creating or updating an event.
- The event activates the Rule Engine; if a rule matches and its conditions are met, the event updates accordingly.
- (Optional) If a keyword is defined, it’s added to the Notification Queue.
- The updated event data is copied to the Notification Queue.
- The Notification Engine monitors the Notification Queue.
- If a matching flow is found, the Notification Queue updates with target channels for notification.
- A worker process sends notifications to the specified targets.
Rule Engine Field Reference
In addition to event data fields, the Rule Engine provides these metadata fields for conditions:
| Field Name | Description | Type | Example |
|---|---|---|---|
ame.assignee | Current event assignee | String | admin |
ame.count | Duplicate count | Integer | 1 |
ame.event_title | Event title | String | Alert for host xyz |
ame.event_ttl | Event TTL | Integer | 600 |
ame.first_seen | First seen timestamp | Integer | 1711401172 |
ame.impact | Event impact | String | low |
ame.most_recent | Most recent timestamp | Integer | 1711401172 |
ame.notifications | Notification UID | String | 63d76e6be87c1840f142114 |
ame.notable_fields | Notable fields | Stringlist | src_ip,dest_ip,count |
ame.priority | Event priority value | Integer | 1 |
ame.priority_name | Priority name | String | low |
ame.resolution | Resolution UID | String | 63d76e6be87c1840f142114 |
ame.resolution_name | Resolution | String | True positive |
ame.search_name | Saved search name | String | myalert |
ame.status | Event status UID | String | 63d76e6be87c1840f142114 |
ame.status_name | Status name | String | in_progress |
ame.tenant_uid | Tenant name | String | default |
ame.template | Template UID | String | 63d76e6be87c1840f142114 |
ame.template_name | Template name | String | default |
ame.ttl_target | Next status when TTL is reached | String | resolved |
ame.urgency | Event urgency | String | low |
Notification Engine Field Reference
In addition to event data fields, the Notification Engine provides these metadata fields for conditions:
| Field Name | Description | Type | Example |
|---|---|---|---|
ame.assignee | Current event assignee | String | admin |
ame.count | Duplicate count | Integer | 1 |
ame.event_title | Event title | String | Alert for host xyz |
ame.event_ttl | Event TTL | Integer | 600 |
ame.first_seen | First seen timestamp | Integer | 1711401172 |
ame.impact | Event impact | String | low |
ame.most_recent | Most recent timestamp | Integer | 1711401172 |
ame.notifications | Notification UID | String | 63d76e6be87c1840f142114 |
ame.notable_fields | Notable fields | Stringlist | src_ip,dest_ip,count |
ame.priority | Event priority value | Integer | 1 |
ame.priority_name | Priority name | String | low |
ame.resolution | Resolution UID | String | 63d76e6be87c1840f142114 |
ame.resolution_name | Resolution | String | True positive |
ame.search_name | Saved search name | String | myalert |
ame.status | Event status UID | String | 63d76e6be87c1840f142114 |
ame.status_name | Status name | String | in_progress |
ame.tenant_uid | Tenant name | String | default |
ame.template | Template UID | String | 63d76e6be87c1840f142114 |
ame.template_name | Template name | String | default |
ame.ttl_target | Next status when TTL is reached | String | resolved |
ame.urgency | Event urgency | String | low |
Trigger condition fields are also available:
| Field Name | Description | Type | Example |
|---|---|---|---|
changed | Fields that have changed | Stringlist | ame.status_name,ame.assignee |
values | Values of changed fields | Stringlist | new,admin |
keyword | Keyword passed from a rule | Stringlist | mykeyword |