Notable Events
Introduction to Notable events
TrackMe provides a feature called “TrackMe Notable events”. When a TrackMe alert is created, a TrackMe alert action is automatically enabled for that alert (called trackme_notable). When the alert is executed and fires alerts for given entities, TrackMe generates a notable event which is stored in the Splunk notable index that is associated with the TrackMe Virtual Tenant.
The notable events contain summary information regarding the entity that was concerned by the alert, as well as the whole properties of that entity. This acts as an instant snapshot of the entity in the state it was when the alert fired. Therefore, using notable events facilitates the understanding and investigation of why TrackMe complained about a given entity and what were the reasons for the alert to trigger.
How TrackMe Notable Events Work
TrackMe notable events are designed to provide valuable information when a TrackMe alert fires an alert for a specific entity. Here’s how the process works:
Alert Creation: When a TrackMe alert is created, a corresponding TrackMe alert action (trackme_notable) is automatically enabled.
Alert Execution: When the TrackMe alert is executed, it evaluates the monitored entities based on the alert’s conditions.
Alert Firing: If the alert’s conditions are met for a given entity, the alert fires for that specific entity.
Notable Event Generation: Once the alert fires, TrackMe generates a notable event for the concerned entity, which is then stored in the associated Splunk notable index. Notable events are JSON formatted events generated by the built-in TrackMe alert action trackme_alert.
Please note that notable events are only created when a TrackMe alert fires an alert for that entity.
Searching Notable Events in Splunk
Notable events can be searched with the following Splunk search:
trackme_notable_idx(mytenant) tenant_id="mytenant" object="myobject"
Replace “mytenant” with the TrackMe Virtual Tenant name, and “myobject” with the entity name.
Reviewing TrackMe Notable Events
You can access Notable events that fired for a given entity in the “Notables” tab of the main entity screen. This view provides the following information:
Overtime Chart: An overtime chart of the notable events, which helps to visualize the frequency and distribution of these events over time.
Table View: A table that displays the entity-related notable events ordered by the latest notable events.
This view provides quick access to the details of each event, making it easier to investigate and understand the reasons behind the alert.
Notable Events: Essential and Valuable Feature
The TrackMe notable event is an essential and valuable feature for understanding and investigating the reasons behind an alert.
It provides a snapshot of the entity’s state when the alert was triggered, making it easier to determine what caused the issue and how to address it.
By leveraging notable events, you can enhance your monitoring and incident response capabilities, ultimately leading to a more efficient and reliable system.