Skip to main content
Version: Next

Working with Events

This chapter explains how to work with Events.

Assign an event

To assign an event to a user, click the assignee button on the right side of the summary panel and select the user to set. If the Full Name for the user has been set, it will be shown in the dropdown, and as a tooltip under the Assignee column.

note

Only if a user belongs to a tenant (has the tenant's power user role) will this user be shown as an option.

Update the notification scheme

To update an event's notification scheme, click the notifications button on the right side of the summary panel and select the scheme that should be applied if the event changes its status.

note

Only if the tenant of the notification scheme is accessible will this scheme be shown to the current power user.

Update the status

  1. To update the status of an event, click the status button on the right side of the summary panel and select the destination status.

    :::info Changing the status may trigger a notification if defined in the notification scheme. :::

  2. Write a comment if the status update requires an explanation.

note

Comments will be indexed as an ame-audit-record and will be quoted in the notifications.

Update the urgency

To update the urgency of an event, click the urgency button on the right side of the summary panel and select the urgency option that should be set for the event.

note

Priority updates will create an ame-audit-record and may trigger notifications.

To re-run the event's original search, click the search button on the right side of the summary panel.

note

The results may not be visible if the current user cannot access the original index.

Update several events at the same time

Use the following buttons to select/unselect events:

ButtonFunction
Edit/Delete
Reset Selection

To update several events at once:

  1. Select the events to update by clicking the checkbox to the right of the events, then press the Edit/Delete button to open a menu:

  2. Select from the Edit/Delete options which events should be changed or commented.

  3. The number of affected events by tenants will be shown on top. Validate the number and then change all attributes. Optionally, add a comment, or select the Comment Option if you just want to bulk comment events.

danger

Only if a user belongs to a tenant will this user be assigned to the event. Assignments for users outside a tenant are skipped.

Editing Event Tags

To edit event tags:

  1. Select Edit Tags from the Action Menu

  2. Select or deselect all tags that apply to the event and optionally add a comment.

  3. Click on the tag button to check if the tag is correct or delete it by clicking the bin icon on the top right side of the tag description.

Add a comment to an event

To add a comment to an event, expand the event and open the comments tab.

Use the following buttons to edit, preview, or save the comment:

ButtonFunction
Edit raw text
Preview formatted text
Save comment

Comments support markdown format. Use the preview button to show the formatted comment.

Press enter for a new line and ctrl-enter or the Save comment button to save the comment. The comment will be shown once it is indexed.

danger

Once a comment is entered, it will be indexed and can't be changed.

Invoke a Workflow Action

To invoke a Splunk Workflow Action on an event result, expand the event.

Use the following button to run a Workflow Action:

ButtonFunction
Run Workflow Action

The Workflow Action will be available if all mandatory fields are available. The Workflow Action can be found under the Notable Fields and Data Tab.

Workflow Action under Notable Fields Tab:

Workflow Action under Data Tab:

Click on the Workflow Action button, and choose the action you would like to execute.

info

AME ignores the Show action in setting and applies all matching Workflow Actions.

note

On Splunk Cloud, only Workflow Actions that use the HTTPS scheme will be allowed. Workflow Actions with non-encrypted traffic (HTTP) will be filtered.

Examples

Example: Webhook Workflow Action

Following is an example of a Workflow action that triggers the built-in Splunk Webhook Action manually.

The search uses makeresults and eval to pass the tenant's name ame.tenant_name and a result-field action to the send alert command. Depending on the alert action, various parameters can be set. In this case, the destination web server URL is specified.

Full search command:

| makeresults 1  
| eval action=$action$, ame_tenant="$ame.tenant_name$"
| sendalert webhook param.url="https://webserver:10000

When running the workflow action from the AME dropdown, the web server will receive a request as follows:

POST / HTTP/1.1
Accept-Encoding: identity
Content-Length: 226
Host: localhost:10000
Content-Type: application/json
User-Agent: Splunk/D1F702EF-402A-4659-A582-C88B3D7380EC
Connection: close

{"sid": "1679403559.11097", "search_name":" ", "app": "search", "owner": "admin", "results_link": "https://<mysplunkserver>:8000/app/search/@go?sid=1679403559.11097", "result": {"_time": "1679403559", "ame_tenant": "Default Tenant"}

Filtering Workflow Actions

Workflow Actions are shown in AME when all fields in the Apply only to the following fields settings that match. The list of Workflow Actions can become very long, and not all actions are helpful for an event.

It is possible to filter Workflow Actions further down using the name of the saved search, or by template.

The following attributes can be set in workflow_actions.conf:

[<workflowaction>]
ame_templates = [template_name|template_uid](,[template_name|template_uid])+
ame_savedsearches = savedsearch_name(,savedsearch_name)+

Examples

Example: Show workflowaction1 only to the `mytest search1` and `mytest search2`
[workflowaction1]
ame_savedsearches = "mytest search1", "mytest search2"
Example: Hide `workflowaction2` for all events
[workflowaction2]
ame_template = ThisTemplateDoesNotExist

Manually create an event

Sometimes, it may be necessary to add an event that is not created through a Splunk Alert. The following button on the top left can be used to create an event.

ButtonFunction
Create Event
Test Query

Clicking the Create Event button on the top right of the Event Summary opens a Modal.

The following fields are available. Mandatory values are marked with an asterisk (*):

  • Title(*): The title of the event
  • Tenant(*): The destination tenant
  • Impact(*): The impact of the event
  • Urgency(*): The urgency of the event
  • Assignee(*): The assignee of the event
  • Status(*): The initial status of the event
  • Notifications(*): The notification scheme for the event
  • Tags: Comma-separated list of tags
  • Notable Fields: Comma-separated list of fields
  • Earliest: The earliest time for
  • Latest: The latest time for the search query
  • Query: The search query used for re-runs
  • Fields: A list of key-value fields

Before creating the event, the search query can be tested by clicking on the Test Query Button. This opens the search in a new browser tab.

If everything looks correct, press Submit to create the event.

Working with SLAs

Each Event can have an SLA assigned automatically or manually.

The SLA tab shows all assigned SLA for the event:

Additional SLAs can be assigned with the Activate SLA button.

ButtonFunction
Activate SLA
info

This feature requires an AME subscription.