Event Summary Overview
The Event Summary Page is the entry point for managing all events.
In Alert Manager Enterprise, the term Event describes a Splunk Alert managed by the AME App. Note that a Splunk Alert can be appended to an existing AME Event. See the Alert Action Setup to find out more about how Events are created and updated.
AME supports the Splunk Dark UI theme. Dark mode can be enabled by
configuring the theme in the Splunk User Preferences.
Single Value Indicators
On the top of the Events Summary, single values indicators show the number of events over the selected time range split by priority. A trend timeline is shown below the number.
The Single Value Indicators can be hidden/shown by pressing the following buttons:
| Button | Function |
|---|---|
 | Show Single Values |
 | Hide Single Values |
Event Timeline
The Event Timeline can be shown below the Single Value Indicators. The timeline shows the selected time range and is split by priority.
The Event Timeline can be hidden/shown by pressing the following buttons:
| Button | Function |
|---|---|
 | Show Event Timeline |
 | Hide Event Timeline |
About Priorities
Priorities are calculated by using the Alert's urgency and impact settings:
| Impact | Urgency | Priority |
|---|---|---|
| low | low | informational |
| low | medium | low |
| low | high | medium |
| medium | low | low |
| medium | medium | medium |
| medium | high | high |
| high | low | medium |
| high | medium | high |
| high | high | critical |
Event Table
The Event Table shows the following essential information by default.
- Title
- Tenant
- Status
- Priority
- Assignee
Fieldsets
If Fieldsets are defined for the selected tenant, the fieldset dropdown will be displayed.
Each tenant can have its own fieldsets. AME only shows the fieldset if events of a single tenant are displayed in the Event Table
Fieldvalues from Alert Results are only shown, when an event has been created with AME 3.2 or higher
Quick Actions
Quick Actions are available to change Event attributes or execute further actions by clicking the following buttons:
| Button | Function |
|---|---|
 | Change Assignee |
 | Change Status |
 | Actions |
Actions Menu
The Actions Menu allows further actions:
- Edit Tags
- Adjust the Notification Scheme
- Adjust the Urgency
- Add a Resolution
- Delete the event
- Display Action Fields
- Run a Drilldown Search to find the origin Splunk Search that created the event
For further details on how to work with Events, see the Working with Events chapter.
Event Details
To open the Event Details, click on a single event in the accordion table.
On the top of the Event Details, the following information is available per default:
- Event ID
- Notification Scheme
- Count (the number of grouped events with the same title)
- Tags
- First Seen (the timestamp of the first event in grouped events with the same title)
- Action Fields
Further down, a list of tabs contains more information:
- Notable fields
- Data
- History
- Comments
- SLAs
Event Details Tab Ordering
The tab order can be changed under the tenant configuration:
This feature requires an AME subscription.
Compact/Expanded View
The default, or compact view, only shows a limited set of information. It has to be opened to see all the details of an event. Using the expanded view it is possible to display selected attributes for the event.
Use the following button to switch between the compact and expanded view:
| Button | Function |
|---|---|
 | Compact View |
 | Expanded View |
Working with Events chapter.
Read here how to configure the Expanded Views.
Displaying notables and tags and changing/ordering Notable/Event-Fields require an AME subscription.
Filters
Events displayed in the summary can be filtered. Use the following buttons to change the filter:
| Button | Function |
|---|---|
 | Open filter |
 | Reset filter |
 | Show filter in Page |
The Filters will open up on the right side either as a slide-out or in-page.
Currently, the following filters are available:
- Time (Default: Last 7 days)
- Tenant
- Title
- Assignee
- Priority
- Tags
- Status
- Resolution
- Search
- Saved Search
- SLA Filters
Filtering by search
The Search field allows filtering events. The filter uses Splunk syntax and supports the following filters:
event_keyevent_titlefields.field_name- free text
Applying the filter
Pressing the Apply Filter button or entering CTRL-ENTER will apply the filter.
Examples
vulnerability fields.dvc="host-1" OR fields.dvc="host-2"
event_title="Disk Usage*" OR event_title="High Memory*" fields.dvc="server-*"
Saved Filters
Pressing the Save current filter button will open a modal to save the filter.
A saved filter can be selected by using the dropdown left to the "Save current filter` dropdown.
When a filter is selected, it can be updated, renamed, or deleted.
Saved Filters require an AME subscription.
Refresh Interval
The refresh interval of the Event Summary can be turned on or off and set to a specific value. by pressing the following button:
| Button | Function |
|---|---|
 | Refresh Interval |
Following Options are available:
- No Refresh
- 1 Minute
- 5 Minutes
- 15 Minutes
- 30 Minutes
- 1 Hour
Footer
The footer shows information, the absolute time range selected by the filer/time range picker, how many events have been found, and the last reload of the data.
The footer can be hidden/shown by pressing the following buttons:
| Button | Function |
|---|---|
 | Hide footer |
 | Show footer |