In our last blog post, we wrote about our efforts to bring you a brand-new Alert Manager. We named the app “Alert Manager Enterprise,” short for AME.

It’s still the Alert Manager app that helps you in your everyday business, but “Enterprise” highlights that we are improving everything around the app and its development process to shift it to an enterprise level.

So what’s in it? Let’s start with the two most important features (we will dive into more features in our upcoming blog posts).

Event Summary

Users of the old Alert Manager immediately notice that we don’t use the term “incident” anymore. There are a lot of controversies about how to call something that gets fired somewhere and needs user attention. Different frameworks use different terms. We decided to use a more neutral word than incident. So for the future, a Splunk alert creates an event in AME.

The Event Summary in AME looks similar to the old one. Trend indicators help keep an eye on event priorities. Users can filter for specific events, which will show in a table.

 

The table shows essential information such as the status, the priority, or the assignee. Quick actions can change the status or run a drill-down to the actual events.
Opening an event shows more information, such as the event id, the duplicate count (for repeating events), or tags. Also, the most recent results are available on the first tab. For duplicate events, previous results are available.

AME uses Splunk’s default Workflow Actions to replace the old AM drill-down actions. Besides Search Actions and HTTP GET, AME also supports POST requests. A click on “Available Fields” reveals a list of fields available for tokens!

 

The History and Comments tabs contain auditing information and record comments.

Alert Configuration

How do Alerts end up in the Event Summary? We wanted to keep the Alert Action configuration UI simple as we plan to add more functionality over time. We decided to only have two settings in the Alert Actions section for AME.

The title and a reference to a template:

 

This is how the Template Manager looks:

A template can be used by multiple alerts if needed. But if the number of templates gets very high, there’s a nifty search to find your template. A template comprises standard attributes and settings assigned to an event, such as the impact, urgency, default assignee, or status. Tags can also be set automatically during event creation. Which fields shown under the notable fields tab are configured here. (formerly known as display fields)

In Part II, we will take a look at Tags and Rules. We hope you have enjoyed the new features so far!