Skip to main content
Version: Next

Release Notes

note

Alert Manager Enterprise Version 2.0 and higher only support Splunk Enterprise 9.0 and higher and Splunk Cloud using python3.

Version 3.2.2

What's new:

  • AME-724 Apply Template TTL configuration to states other than new
  • AME-813 Add Lookback-Time to Template

Fixed issues:

  • AME-803 Status resolution requirements not checked on resolution change
  • AME-804 Add back copy button on Event Title
  • AME-805 Update Task 9 has broken imports due to dpshared migration
  • AME-809 Rework AlertQueueConsumer to improve performance

Version 3.2.1

Fixed issues:

-AME-806 most_recent_notable_fields can collide with ame-event fields when loading event-summary

Version 3.2.0

What's new:

  • AME-322 Display object references in UI
  • AME-531 Extend the freeform search filter to allow searching for all data
  • AME-598 Hide tenant field column in event summary if single tenant
  • AME-639 SLA Management
  • AME-644 MS-Teams: Connectors deprecated
  • AME-665 Allow usage of client certificates if required by splunkd
  • AME-672 Warn users that their license is about to expire (1 Month before expiration)
  • AME-673 Improve event summary field inputs
  • AME-686 Extend summary with notable fields
  • AME-716 Provide an API Endpoint for retrieving events from AME
  • AME-725 Implement "Select all" and "Select page" for events in summary
  • AME-738 Extend status option resolution restrictions
  • AME-747 Add ability to save multiple views of event summary on tenant
  • AME-790 License management should consume the complete json license
  • AME-791 Add status_type option for ameevents and ameenrich
  • AME-792 Highlightning of selected event rows

Fixed issues:

  • AME-717 Store field filters in saved filters
  • AME-783 Bulk deletes missing hard Flag
  • AME-793 Error messages wrong, when a valid license is in place, but the user does not have the permissions

Version 3.1.3

Fixed issues:

  • AME-780 Bulk update does not chunk existing query
  • AME-781 Bulk update modal should only allow save if something is updated

Version 3.1.2

Fixed issues:

  • AME-671 Notification action alert_data incorrectly rendered
  • AME-692 Unpopulated Assignee Data
  • AME-694 Deselection of events not working
  • AME-701 Log stdout & return code of vsl / vsw execution
  • AME-712 Repository methods missing user name
  • AME-719 apply_tll does not check for empty list of new-type status options
  • AME-720 Fix typo in authorize.conf
  • AME-721 Fixing appinspect warnings (default.meta, collections.conf and dependencies)
  • AME-721 Adapting comment prefix
  • AME-727 Set event host field to SH in HEC events
  • AME-729 Bulk insert failing if to many existing keys to check
  • AME-732 Check AM migrated tags for empty strings on events
  • AME-736 Write role returning None from SDK

Version 3.1.1

Fixed issues:

  • AME-666 Update bulk creating invalid queries if no entries supplied
  • AME-667 Expanded event header percentages are reset on event expand
  • AME-667 Template contains custom tag references rather than tag value
  • AME-669 Rule cron documentation link broken
  • AME-670 Fix README.md license bin path

Version 3.1.0

What's new:

  • AME-220 Add chips to tags impact and urgency
  • AME-253 Add a timeline to event summary
  • AME-412 The Full Name of the assignee should be displayed
  • AME-413 Event Summary should provide a compact and extended mode
  • AME-578 Wildcard matching for contains operator in matching engine
  • AME-597 Notable fields should support internal ame fields
  • AME-611 Ensure compatibility with Python 3.9
  • AME-627 Allow bulk comment on events
  • AME-631 Suspend refresh while filter windows is open
  • AME-633 Enable rule execution on event update
  • AME-652 Add a command to look up where a object reference is used

Fixed issues:

  • AME-600 Event summary status should sort on status_name
  • AME-606 Some filters are reset when reloading the event summary
  • AME-608 Fix reload for update modal when refreshing
  • AME-634 Creating an event directly form search does not respect the tenant param
  • AME-635 Assignee filter broken due to selection of username extended name as filter
  • AME-636 Manual event creation failing with template error
  • AME-637 Notification exception if alert data contains multi value fields
  • AME-640 Configuration logging background color off in light mode
  • AME-641 ameenrich performance improvements
  • AME-642 ttl_target missing as alert action parameter + type missmatch

Version 3.0.8

Fixed issues:

  • AME-605 Notification-Templates: TextArea and better access to alert data
  • AME-609 Correct ame_server log level
  • AME-610 Inconsistent Event state after updating event via REST
  • AME-613 Action-Notification: allow empty structured templates
  • AME-614 Migration tags are not handled the same for event and tag creation
  • AME-615 Add count=0 to user list in user tenant mapping to fetch all users

Version 3.0.7

Fixed issues:

  • AME-468 ameenrich: verify that it filters what it should, and the filters work as expected
  • AME-554 Search not possible if a not initialized tenant exists
  • AME-570 Event key filter should use all time search
  • AME-573 KVWrapper: dynamically load maximum amount of items
  • AME-576 EventService, Event update: skip updates to value event already has (no op)
  • AME-581 AM->AME: fix tags migration
  • AME-584 CIS Tags not sorted correctly
  • AME-586 The selection of event count should persist a page reload
  • AME-588 Ensure graceful conversion between int <-> float in models
  • AME-591 Scrolling custom filter dropdown out of page crashes page
  • AME-592 For field actions, we should not limit protocols in GET Requests
  • AME-596 Saved search filter reusing removed search job

Before proceeding with an update, review the Before upgrading guide for this release.

Version 3.0.6

Fixed issues:

  • AME-589 Driver gets loaded with wrong Python version on Cloud when default python version is set to python2
  • AME-593 Cloud splunk-system-user cache edge case

Version 3.0.5

Fixed issues:

  • AME-528 Implement custom persistent appserver to prevent cross app interpreter issues in Splunk Cloud
  • AME-567 Fixing inheritance for power / admin role
  • AME-571 Workaround for alert action issue with 9.0.x (dot entity)
  • AME-580 Adding admin to cloud admin list
  • AME-582 Splunk Cloud Port check prevents setup

Version 3.0.4

Unreleased.

Version 3.0.3

Unreleased.

Version 3.0.2

What's new:

  • AME-452 Update Reporting Dashboards to support Resolutions
  • AME-563 Log initial query in migration task

Fixed issues:

  • AME-503 remove app from url query
  • AME-513 include resolution dropdown on all status changes
  • AME-514 Removing ref check from status option
  • AME-515 Do not store action_params in originQuery
  • AME-516 Refresh filter does not update on filter change
  • AME-517 Click away the event update modal without closing / submit opens the event
  • AME-519 ameevents and ameenrich should give the status type back
  • AME-520 Filtering with Status All does not work
  • AME-521 Do not use login at SMTP if no credentials configured
  • AME-526 Hide password for validation script
  • AME-527 notification upgrade task expects wrong amount of old_schemes backed up
  • AME-530 Action notifications issues
  • AME-553 User timezone frontend using wrong param
  • AME-555 Filtering by custom tags is using key instead of tag value
  • AME-562 splunk 9.0.7: cannot create entities with . in key // cannot create events

Known issues:

  • AME-528 Hotfix: conflicting app installations // unload modules on Splunk On-Premises for Scientific Python and Splunk Cloud

Version 3.0.1

Unreleased.

Version 3.0.0

What's new:

  • AME-130 Rules scope not specific enough
  • AME-207 Implement resolution functionality
  • AME-219 Add link to Notification Scheme and Template in Event Summary
  • AME-261 Refactor Notifications
  • AME-298 Rule conditions match literal strings, wildcard strings and CIDR
  • AME-299 Set port number to 443 by default for HEC if Splunk Cloud is detected
  • AME-303 Move the refresh time from filters to the icon bar
  • AME-306 Refactor Notifications
  • AME-307 Refactor Tags
  • AME-308 Refactor Rules
  • AME-309 Refactor Templates
  • AME-312 Refactor Event Service
  • AME-313 Refactor Event Report Service
  • AME-321 Refactor Tasks
  • AME-332 Allow easy copy of the event title
  • AME-339 Notable fields order should be kept if only configured from one source
  • AME-342 Add direct link to event (for notifications and sharing)
  • AME-346 AME should cache User/Tenant mappings in a KVStore Collection
  • AME-357 Migration for templates, rules and status_options
  • AME-360 Drop support for non-slackapp (legacy) notification channel
  • AME-365 EventService: Create AppendTrigger on append (if flag is set)
  • AME-366 EventService: Create AssignedTrigger on assignment
  • AME-367 Notification-Migration-Task: Create AppendFlow that sends mail to assignee
  • AME-376 Migrate AM Migration to 3.0 release
  • AME-406 Upgrade migrations.conf to a replicated conf file and remove app.conf setup
  • AME-419 Hitting enter in the event summary filter should run the filter
  • AME-423 Trigger-condition should contain auto-resolved field references instead of reference keys
  • AME-428 Link to Cron Docs should open a new tab
  • AME-429 Resolutions Groundwork

Fixed issues:

  • AME-213 Alert Handler insert_entry failes with API size limit
  • AME-316 Notable Fields column does not scale with long field names
  • AME-317 Search based filter takes a long time
  • AME-337 Ensure cache is bypassed when fetching data from the REST API in the frontend
  • AME-344 Comments missing timezone awareness
  • AME-348 E-Mail Link in Splunk Cloud
  • AME-361 ame_migration: include fix for tags as list
  • AME-383 Exception Handler in create_alert can fail when trying to determine the search_time
  • AME-384 alerts in the ame_alertqueue should be deleted with hard=True to prevent the collection from growing large over time
  • AME-399 Only show power users in frontend for assignee / default assignee
  • AME-420 Set Max-Width for notification-flow-label column

Version 2.0.4

What's new:

  • AME-274 Allow the filtering of Workflow Actions
  • AME-283 Notable Fields should support wildcards to show all fields

Fixed issues:

  • AME-340 Do not show empty notable fields
  • AME-343 ameenrich not showing event for all time search
  • AME-345 Assign to myself filter broken
  • AME-347 E-Mail Link in Splunk Cloud wrong
  • AME-349 Migration some ISO timestamps are epoch
  • AME-350 Bulk edit comment nor reset
  • AME-352 Tag filter for custom tag uses _key instead of tag value
  • AME-356 Improved templates for setup page

Version 2.0.3

Fixed issues:

  • AME-326 Switch everything to v2 search API
  • AME-327 Prevent endless recursion in role manager
  • AME-328 Prevent none type mail recipients
  • AME-329 Tags existing in multiple accessible tenants are all shown in event
  • AME-330 Ignore invalid AM data for migration

Version 2.0.2

Fixed issues:

  • AME-264 Setup page shows "Incomplete Restore KV-Store Data" task when it shouldn't
  • AME-292 Custom tags are not removed from tag manager after deletion
  • AME-297 Premium tags are generated as tenant tags
  • AME-304 Large number of users are not displayed properly in Event Summary
  • AME-316 Notable Fields column does not scale with long field names
  • AME-323 Migration remains failing due to header size

Version 2.0.1

Fixed issues:

  • AME-225 Migrating too many AM Incidents exceeds header limits
  • AME-269 Appending of alert does not check for custom closed status
  • AME-270 Searches get killed by Workload Manager if the timerange is All Time
  • AME-271 Search in alert HTML uses all time and wrong context
  • AME-286 Email Address Validation fixed

Known issues:

  • AME-264 Setup page shows "Incomplete Restore KV-Store Data" task when it shouldn't

Before you upgrade:

  • If you are upgrading from AME <1.x, there have been syntax changes in how tags and notable_events are overriden with event fields and savedsearches.conf attributes. See the Advanced Event Creation page.

Version 2.0.0

What's new:

  • AME-4 Add UI Theming support
  • AME-59 Improve Search in Event Summary
  • AME-60 Allow sorting columns in event summary
  • AME-177 Backend Filtering Definition + UI Refresh
  • AME-181 Knowledge objects should not be shared globally if not needed
  • AME-194 Verify that the KV Store can be reconstructed from index events
  • AME-201 SPLUNK_BINDIP support
  • AME-204 Validate input validation on all handlers
  • AME-205 Allow custom dashboards to be added to the Reports Menu
  • AME-206 Reporting improvement for Event Analysis
  • AME-210 It should not be possible to set the status to assigned without assigning an assignee
  • AME-216 Create ameenrich transforming command
  • AME-243 Add a link to docs in nav.xml
  • AME-247 Move Multi-Rule License check from Security Pack to the Support License
  • AME-248 Add event summary page for Splunk Mobile app
  • AME-250 Allow the use of template names in savedsearches.conf

Fixed issues:

  • AME-182 Custom status closed is shown open
  • AME-188 Health Overview ame_service_logs data source needs additional criteria
  • AME-232 tag override with multiple tags in savedsearches.conf creates whitespace tags
  • AME-233 notable_fields override in savedsearches.conf should support whitespaces
  • AME-234 Notable fields are not shown when they contain upper-case letters or white-spaces
  • AME-238 Notification modal not loading all alert_actions
  • AME-245 Alerts Action not firing in notifications
  • AME-246 Remove license check from Alert Action Notifications

Known issues:

  • AME-225 Migrating too many AM Incidents exceeds header limits
  • AME-264 Setup page shows "Incomplete Restore KV-Store Data" task when it shouldn't
  • AME-269 Appending of alert does not check for custom closed status
  • AME-270 Searches get killed by Workload Manager if the timerange is All Time
  • AME-271 Search in alert HTML uses all time and wrong context

Version 1.2.6

Fixed issues:

  • AME-192 Timerange is not applied on first fetch
  • AME-215 SHC captain check does not work if cluster uses IPs
  • AME-231 Detecting the SHC Captain does not work reliably in Splunk Cloud Victoria stacks with Search Head Clustering

Version 1.2.5

Fixed issues:

  • AME-188 updated health overview drill down by token
  • AME-189 fixed ame-audit-records behaviour
  • AME-191 fixed path of workflow actions

Known issues:

  • AME-192 Timerange is not applied on first fetch
  • AME-225 Migrating too many AM Incidents exceeds header limits
  • AME-215 SHC captain check does not work if cluster uses IPs (Contact Support for Workaround)
  • AME-231 Detecting the SHC Captain does not work reliably in Splunk Cloud Victoria stacks with Search Head Clustering (Contact Support for Workaround)

Version 1.2.3

What's new:

  • AME-95 added search bar to all tabs in tag manager
  • AME-168 improved loading comments for ack tokens
  • AME-183 Comment preview that displays rendered Markdown
  • AME-184 Comment send on {ctrl}+{enter}, new line on {enter}

Fixed issues:

  • AME-175 updated server.conf and added reload on handler_logging.py
  • AME-179 Rule Manager crashes when trying to enter timerange
  • AME-180 Prevent excessive number of appends to an event
  • AME-182 Custom status *closed- is shown open
  • AME-185 read_tenantlist_auditreport() returns unexpected keyword error
  • AME-186 Alertqueue Consumer log needs more extensive logging

Version 1.2.2

What's new:

  • AME-42 Rule Manager rules for periodic time frames
  • AME-64 Markdown in comments
  • AME-169 Show message to non-admin users on configuration and setup
  • AME-160 Allow additional overrides in savedsearches.conf
  • AME-165 Improve Supportability
  • AME-167 HEC Acknowledgements are possible now

Fixed issues:

  • AME-146 Priority column is now colored in priority color
  • AME-170 Notable Fields are no longer being ordered
  • AME-171 Error fetching tenant and event information
  • AME-173 handler_abstract throws attribute error in module splunklib.results
  • AME-176 CIM Add-on overrides sourcetype and index for ame:modalert sourcetype
  • AME-179 Rule Manager crashes when trying to enter timerange

Version 1.2.1

Fixed issues:

  • AME-150 fixed e2e and alertqueue problem

Version 1.2.0

What's new:

  • AME-26 Use savedsearches.conf annotations to assign tags
  • AME-27 Allow the creation and presentation of tags that are not managed by tag manager
  • AME-37 Existing Splunk Alert Action can be used as additional channels
  • AME-50 Add CIS v7 (CIS20) Tags to Security Knowledge Pack
  • AME-51 Add CIS v8 Tags to Security Knowledge Pack
  • AME-52 Add NIST Tags to Security Knowledge Pack
  • AME-53 Add CVE Tags to Security Knowledge Pack
  • AME-112 Add Paginator for Notable Fields for once per search trigger is selected
  • AME-128 Support new Slack App based Webhooks
  • AME-129 Add flag to enable/disable notifications for appended events
  • AME-135 Roles should be assignable through intermediate roles

Fixed issues:

  • AME-132 % in title prevents events from being generated
  • AME-136 Once per search events should only be counted as one event in trend indicators
  • AME-141 Template Manager allows upper case custom tag definition
  • AME-142 Tenant Manager UI validation does not allow valid Splunk Cloud HEC Host