Docs » Ingest alerts in Splunk Incident Intelligence » Ingest alerts from Splunk Enterprise and Splunk Cloud Platform

Ingest alerts from Splunk Enterprise and Splunk Cloud Platform 🔗

You can ingest alerts into Incident Intelligence from Splunk Enterprise and Splunk Cloud Platform using Splunk Incident Intelligence.

Before you can ingest alerts from Splunk Enterprise and Splunk Cloud Platform, you must configure Incident Intelligence in Splunk Observability Cloud.

Download and configure the Splunk Incident Intelligence app 🔗

  1. Download and install the Splunk Incident Intelligence app from Splunkbase.

  2. Open the app and select Setup Org and Token.
    1. Enter the Realm, Org Id, and SFX Token. For steps to obtain this information, see View your realm, API endpoints, and organization. When obtaining your access token, select the default token or a token with INGEST and API scopes, in the list of tokens.

    2. Select Send Test Alert. This is only a status code verification that ensures there is a valid response to the ingest endpoint. There is no test alert in Incident Intelligence.

    3. You can repeat these steps to create multiple entries for additional realms or organizations.

Now you are ready to start sending alerts to Incident Intelligence.

Ingest Splunk Enterprise alerts using saved searches 🔗

Create or save existing alerts to ingest from Splunk Enterprise into Incident Intelligence.

  1. In Splunk Enterprise create and run a search.

  2. Select Save As > Alert.

  3. Enter a title and description.

  4. Under Alert type, select Scheduled and indicate how often you want the alert to run.

  5. Under Trigger Conditions, create the conditions for when you want to send the alert.

  6. Under Trigger Actions, select Add Actions > Incident Intelligence.

  7. Under Incident Intelligence, select the following settings:
    1. Select the Severity for the alert.

    2. Enter an Alert Title.

    3. Enter an Alert description. The description can include tokens that insert text based on the results of the search. For more information, see Pass search result values to alert action tokens in the Splunk Enterprise Developing Views and Apps for Splunk Web manual.

    4. (Optional) Select a Realm, Org Id, and SFX Token if you want to use something other than the default configured realm, org ID, and SFX token. These lists populate with the entries added in the configuration step. See Download and configure the Splunk Incident Intelligence app.

    5. (Optional) Select an incident policy in the Service Name field.

  8. Select Save.