Skip to main content
Version: Next

Event Summary Overview

The Event Summary Page is the entry point for managing all events.

info

In Alert Manager Enterprise, the term Event describes a Splunk Alert managed by the AME App. Note that a Splunk Alert can be appended to an existing AME Event. See the Alert Action Setup to find out more about how Events are created and updated.

tip

AME supports the Splunk Dark UI theme. Dark mode can be enabled by configuring the theme in the Splunk User Preferences.

Single Value Indicators

On the top of the Events Summary, single values indicators show the number of events over the selected time range split by priority. A trend timeline is shown below the number.

The Single Value Indicators can be hidden/shown by pressing the following buttons:

ButtonFunction
Show Single Values
Hide Single Values

Event Timeline

The Event Timeline can be shown below the Single Value Indicators. The timeline shows the selected time range and is split by priority.

The Event Timeline can be hidden/shown by pressing the following buttons:

ButtonFunction
Show Event Timeline
Hide Event Timeline

About Priorities

Priorities are calculated by using the Alert's urgency and impact settings:

ImpactUrgencyPriority
lowlowinformational
lowmediumlow
lowhighmedium
mediumlowlow
mediummediummedium
mediumhighhigh
highlowmedium
highmediumhigh
highhighcritical

Event Table

The Event Table shows the following essential information by default.

  • Title
  • Tenant
  • Status
  • Priority
  • Assignee

Fieldsets

If Fieldsets are defined for the selected tenant, the fieldset dropdown will be displayed.

info

Each tenant can have its own fieldsets. AME only shows the fieldset if events of a single tenant are displayed in the Event Table

info

Fieldvalues from Alert Results are only shown, when an event has been created with AME 3.2 or higher

Quick Actions

Quick Actions are available to change Event attributes or execute further actions by clicking the following buttons:

ButtonFunction
Change Assignee
Change Status
Actions

Actions Menu

The Actions Menu allows further actions:

  • Edit Tags
  • Adjust the Notification Scheme
  • Adjust the Urgency
  • Add a Resolution
  • Delete the event
  • Display Action Fields
  • Run a Drilldown Search to find the origin Splunk Search that created the event

For further details on how to work with Events, see the Working with Events chapter.

Event Details

To open the Event Details, click on a single event in the accordion table.

On the top of the Event Details, the following information is available per default:

  • Event ID
  • Notification Scheme
  • Count (the number of grouped events with the same title)
  • Tags
  • First Seen (the timestamp of the first event in grouped events with the same title)
  • Action Fields

Further down, a list of tabs contains more information:

  • Notable fields
  • Data
  • History
  • Comments
  • SLAs

Event Details Tab Ordering

The tab order can be changed under the tenant configuration:

info

This feature requires an AME subscription.

Compact/Expanded View

The default, or compact view, only shows a limited set of information. It has to be opened to see all the details of an event. Using the expanded view it is possible to display selected attributes for the event.

Use the following button to switch between the compact and expanded view:

ButtonFunction
Compact View
Expanded View

Working with Events chapter.

Read here how to configure the Expanded Views.

info

Displaying notables and tags and changing/ordering Notable/Event-Fields require an AME subscription.

Filters

Events displayed in the summary can be filtered. Use the following buttons to change the filter:

ButtonFunction
Open filter
Reset filter
Show filter in Page

The Filters will open up on the right side either as a slide-out or in-page.

Currently, the following filters are available:

  • Time (Default: Last 7 days)
  • Tenant
  • Title
  • Assignee
  • Priority
  • Tags
  • Status
  • Resolution
  • Search
  • Saved Search
  • SLA Filters

The Search field allows filtering events. The filter uses Splunk syntax and supports the following filters:

  • event_key
  • event_title
  • fields.field_name
  • free text

Applying the filter

Pressing the Apply Filter button or entering CTRL-ENTER will apply the filter.

Examples

vulnerability fields.dvc="host-1" OR fields.dvc="host-2"
event_title="Disk Usage*" OR event_title="High Memory*" fields.dvc="server-*"

Saved Filters

Pressing the Save current filter button will open a modal to save the filter.

A saved filter can be selected by using the dropdown left to the "Save current filter` dropdown.

When a filter is selected, it can be updated, renamed, or deleted.

info

Saved Filters require an AME subscription.

Refresh Interval

The refresh interval of the Event Summary can be turned on or off and set to a specific value. by pressing the following button:

ButtonFunction
Refresh Interval

Following Options are available:

  • No Refresh
  • 1 Minute
  • 5 Minutes
  • 15 Minutes
  • 30 Minutes
  • 1 Hour

The footer shows information, the absolute time range selected by the filer/time range picker, how many events have been found, and the last reload of the data.

The footer can be hidden/shown by pressing the following buttons:

ButtonFunction
Hide footer
Show footer